Conformio Risk Register
I noticed that the risk register within Confirmio is built with asset-focused method of doing risk assessment (as per version 27001:2005). However, with version of 27001:2013, the risk assessment method is using information-focused (6.1.2.c.1).
My question is do you have a risk register module that follows information-focused approach?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Conformio does not have a risk register module based on an information-focused approach, because “information-focused” is not an approach for risk assessment, but the way you need to see risks when using a risk assessment approach.
Please note that clause 6.1.2.c.1 does not define a risk assessment method, only that the chosen approach focuses on risks related to the loss of confidentiality, integrity, and availability of information the ISMS is intended to protect (which is to be “information-focused”).
Considering that, all chosen approaches for information security risk assessment (e.g., asset-based, process-based, scenario-based, etc.) need to be information-focused.
The asset-based approach used in Conformio’s Risk Register is information-focused because each asset vulnerability threat is defined in a way that leads to a potential loss of confidentiality, integrity, and availability of information.
For example, the risk of “paper report – single copy – fire” leads to a potential loss of confidentiality.
For further information, see:
- How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8
Comment as guest or Sign in
Jun 27, 2022