I have a question for you regarding ISO 27002 controls and the 'business risk' associated with
failure/non-implementation of the controls - is there a catalog (or resource) for the type of risk
findings shown here (as an example) -
-Asset management program is informal and applied inconsistently across the enterprise.
Failure to track all assets could lead to incomplete application of security programs (e.g., patch management), inadequate level of security (controls) for sensitive assets, and increased spending on unnecessary assets.
-Formal data classification schema does not exist (currently in development).
Without a data classification standard in place, [Client] may not fully understand the risk presented by specific data, leading to incomplete labeling and handling of assets (i.e., inadequate security controls).
-Incident response (IR) responsibilities are only communicated through training without an overarching IR plan in place.
The lack of a formal incident response plan could lead to confusion over management and employee r esponsibilities during an incident, causing untimely or inappropriate handling of incidents that pose an immediate risk.
-Site specific business continuity plans do not include required security controls identified through business impact analysis (BIA) assessments.
Failure to identify (BIA) and incorporate security requirements (controls) within site business continuity plans could lead to an inadequate level of security during events that trigger the business continuity program.
Answer:
There is not a specific catalogue (or resource) for the type of risk, but there are catalogues of threats/vulnerabilities that you can use to calculate the risks, which can help you for the risk management. Here you can find an interesting catalogue of threats/vulnerabilities related to information security: https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Keep in mind that ISO 27001/ISO 27002 are standards related to risks about information security, not for global business risks.
Finally, this article can be interesting for you "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Jan 12, 2016