LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Challenges on risk assessment and treatment

  Quote
Guest
Guest user Created:   May 15, 2018 Last commented:   May 15, 2018

Challenges on risk assessment and treatment

1. How to calculate the risk rating- Calculation of threat value and vulnerability value.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 15, 2018

Answer: To calculate, or define, the values of threat and vulnerability you must consider historical / statistical data (either from the own organization or related to your industry) and the opinion of your personnel that better knows the assets and the process you are assessing. The information available will allow you either to calculate the values based on quantifiable data or adopt values based on the perception you and your team will have from the situation.

It is important to note that for ISO 27001 there is no need to assessing threats/vulnerabilities value to calculate the level of risk.

These articles will provide you more information:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https ://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

2. How to write the findings and recommendations in the assessment report with the overall risk rating and security ranking?

Answer: ISO 27001 does not require the findings of the assessment report to be linked directly with overall risk rating and security ranking (in fact include this correlation would result in a report excessively complex with little added value).

Regarding recommendations, for each finding the consultant should provide at least one or two recommendations on how to handle the situation (e.g., controls to minimize probability and/or impact of a risk occurring)

3. Kindly do let me know how to update the overall score and risk rating (Highlighted in Red box)

Answer: If by the the overall score and risk rating you mean the level of risk associated to the findings identified in the assessment, then the way to improve the score and the rating is to introduce controls which will decrease the risk, by handling the findings.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 15, 2018

May 15, 2018

Suggested Topics