Confidentiality, integrity and availability in the risk assessment
Assign topic to the user
Reading the standard it says; 6.1.2 c) Apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system
Should I actually record the CIA or just consider each and decide on a consequence/likelihood rating?
Answer: Neither 2005 nor 2013 revision of ISO 27001 require you to assess confidentiality, integrity or availability as a separate valuation, nor do they require you to assess C, I and A separately from the impact, nor do they require you to explicitly identify the relationship between the risk and the C, I, or A. ISO 27001 simply requires you to identify the risk.
Actually, when you look closely, loss of confidentiality, integrity and availability is nothing else but asse ssing the impact. Therefore, you can (a) assess the impact taking into consideration the highest loss from either C, I or A, or (b) you can assess the impact separately for C, for I, and for A.
Comment as guest or Sign in
Jan 12, 2016