Describing assessment of confidentiality

1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.

Please note that ISO 27001 does not prescribe any approach for risk assessment so organizations can choose the method that better suits their needs.

Considering that, if your chosen method complies with the requirements of clause 6.1.2 (Information security risk assessment) it is acceptable by standard’s requirements.

In your case, if you assess threats and weaknesses in terms of loss of confidentiality, integrity, and availability of information, then your approach is compliant with this requirement of the standard.

In case you are looking for a reference for information security risk assessment and treatment, you can consider ISO 27005, the ISO standard for information security risk management.

To see how a risk assessment and treatment methodology compliant with ISO 27001 looks like, please access the free demo of this template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding information security risk management:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?

Please note that ISO 27001 does not require Business Impact Analysis to be performed. ISO 27001 core processes are risk assessment and risk treatment. Business Impact Analysis is a requirement for ISO 22301, the ISO standard for the management of business continuity.

For further information, see:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/