Assign topic to the user
From my point of view both approaches can be good for the standard, however taking the average does not make sense - it is much better to take the highest value from the C-I-A impact, and it is not necessary to consider the evaluation of each asset value: you can consider the assessment of consequences for the materialization of a risk , and the assessment of likelihood of occurrence of such risk.
Have you seen our free webinar about "The basics of risk assessment and treatment according to ISO 27001" ? : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
This article can be also interesting for you ISO 2701 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Jan 12, 2016