Confidentiality, Integrity, and Availability
When developing Risk Assessment, the CIA must consider. If we use asset-based, CIA refers to the asset, right? But if we use risk or process based, the CIA will refer to what?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.
When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.
For example:
- For asset-based: paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
- For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
- For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)
For further information, see:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Aug 13, 2020