Confidentiality, Integrity, and Availability
When developing Risk Assessment, the CIA must consider. If we use asset-based, CIA refers to the asset, right? But if we use risk or process based, the CIA will refer to what?
Assign topic to the user
Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.
When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.
For example:
- For asset-based: paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
- For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
- For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)
For further information, see:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Aug 13, 2020