Guest post Created: Jan 13, 2016 Last commented: Jan 13, 2016

Assets value

Hi community, I have the following doubt: How you assess the value of an asset regarding the Confidentiality, Integrity and Availability? You do a average among these values? For example, if in my asset's qualitative analysis I assign 5 in confidentiality, 3 in the integrity and 1 in availability, which would be the asset value? 5+3+1/3 = 3 or 5 because is the highest value?&quest; Or, Which way do you recommends for compliance with the ISO? Thank so much. Best regards

0 0

Assign topic to the user

Select user

Guest

AntonioS Jan 13, 2016

From my point of view both approaches can be good for the standard, however taking the average does not make sense - it is much better to take the highest value from the C-I-A impact, and it is not necessary to consider the evaluation of each asset value: you can consider the assessment of consequences for the materialization of a risk , and the assessment of likelihood of occurrence of such risk.
Have you seen our free webinar about "The basics of risk assessment and treatment according to ISO 27001" ? : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
This article can be also interesting for you ISO 2701 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community

Assets value

Assets value

Assign topic to the user

Comment as guest or Sign in

Suggested Topics

Asset value

Assigning value to assets

Understanding the core concepts of RPO & RTO - ISO 22301