Best methodology for information security risk assessment

1. What is the best methodology for an information security risk assessment?

Please note that there is no single answer for this question because the “best” methodology will depend on many variables like business context, objectives, internal culture, etc. You can even write your own methodology if you want.

Now, the most commonly used methodology for information security risk assessment is the asset-threat-vulnerability approach, mostly because it was part of the previous version of ISO 27001.

For further information, see:

• How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

To see how risk assessment and risk treatment documents (including the Statement of Applicability) compliant with ISO 27001 look like, please see the free demos of this toolkit: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?

Please note that control A.18.1.4 (Privacy and protection of personally identifiable information) requires PII to be protected as required by relevant applicable legislation and regulation, and to evidence conformity, with the control the client needs to present not only which legislation and regulation he/she must comply with, but also which controls are implemented and evidence that the control is performing as expected. 

For example, if legislation requires information availability, then the client has to say how compliance is ensured (e.g., by implementing a backup policy), and presents evidence that the control is implemented (e.g., by showing backup generation logs and backup test results). So, only by stating that assessment is performed is not enough to provide evidence of compliance with control A.18.1.4.