Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Best methodology for information security risk assessment

  Quote
Guest
Guest user Created:   Mar 04, 2021 Last commented:   Mar 04, 2021

Best methodology for information security risk assessment

1. What is the best methodology for an information security risk assessment?

2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 04, 2021

1. What is the best methodology for an information security risk assessment?

Please note that there is no single answer for this question because the “best” methodology will depend on many variables like business context, objectives, internal culture, etc. You can even write your own methodology if you want.

Now, the most commonly used methodology for information security risk assessment is the asset-threat-vulnerability approach, mostly because it was part of the previous version of ISO 27001.

For further information, see:

To see how risk assessment and risk treatment documents (including the Statement of Applicability) compliant with ISO 27001 look like, please see the free demos of this toolkit: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?

Please note that control A.18.1.4 (Privacy and protection of personally identifiable information) requires PII to be protected as required by relevant applicable legislation and regulation, and to evidence conformity, with the control the client needs to present not only which legislation and regulation he/she must comply with, but also which controls are implemented and evidence that the control is performing as expected. 

For example, if legislation requires information availability, then the client has to say how compliance is ensured (e.g., by implementing a backup policy), and presents evidence that the control is implemented (e.g., by showing backup generation logs and backup test results). So, only by stating that assessment is performed is not enough to provide evidence of compliance with control A.18.1.4.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 04, 2021

Mar 04, 2021

Suggested Topics