Expert Advice Community

Guest

Confidentiality, Integrity, and Availability

  Quote
Guest
Guest user Created:   Aug 13, 2020 Last commented:   Aug 13, 2020

Confidentiality, Integrity, and Availability

When developing Risk Assessment, the CIA must consider. If we use asset-based, CIA refers to the asset, right? But if we use risk or process based, the CIA will refer to what?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 13, 2020

Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.

When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.

For example:

  • For asset-based:  paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
  • For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
  • For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 13, 2020

Aug 13, 2020

Suggested Topics

Guest user Created:   May 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS Scope Statement

Guest user Created:   Mar 18, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment