Expert Advice Community

Guest

Conformio Risk Register

  Quote
Guest
Guest user Created:   Jun 28, 2022 Last commented:   Jun 28, 2022

Conformio Risk Register

I noticed that the risk register within Confirmio is built with asset-focused method of doing risk assessment (as per version 27001:2005). However, with version of 27001:2013, the risk assessment method is using information-focused (6.1.2.c.1).

My question is do you have a risk register module that follows information-focused approach?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 28, 2022

Conformio does not have a risk register module based on an information-focused approach, because “information-focused” is not an approach for risk assessment, but the way you need to see risks when using a risk assessment approach.

Please note that clause 6.1.2.c.1 does not define a risk assessment method, only that the chosen approach focuses on risks related to the loss of confidentiality, integrity, and availability of information the ISMS is intended to protect (which is to be “information-focused”).

Considering that, all chosen approaches for information security risk assessment (e.g., asset-based, process-based, scenario-based, etc.) need to be information-focused.

The asset-based approach used in Conformio’s Risk Register is information-focused because each asset vulnerability threat is defined in a way that leads to a potential loss of confidentiality, integrity, and availability of information.

For example, the risk of “paper report – single copy – fire” leads to a potential loss of confidentiality.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 27, 2022

Jun 27, 2022

Suggested Topics