Expert Advice Community

Guest

Describing assessment of confidentiality

  Quote
Guest
Guest user Created:   Mar 24, 2021 Last commented:   Mar 24, 2021

Describing assessment of confidentiality

1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.

2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 24, 2021

1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.

Please note that ISO 27001 does not prescribe any approach for risk assessment so organizations can choose the method that better suits their needs.

Considering that, if your chosen method complies with the requirements of clause 6.1.2 (Information security risk assessment) it is acceptable by standard’s requirements.

In your case, if you assess threats and weaknesses in terms of loss of confidentiality, integrity, and availability of information, then your approach is compliant with this requirement of the standard.

In case you are looking for a reference for information security risk assessment and treatment, you can consider ISO 27005, the ISO standard for information security risk management.

To see how a risk assessment and treatment methodology compliant with ISO 27001 looks like, please access the free demo of this template: https://advisera.com/27001academy/01academy/emy/ademy/my/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

This article will provide you a further explanation about risk assessment:

These materials will also help you regarding information security risk management:

2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?

Please note that ISO 27001 does not require Business Impact Analysis to be performed. ISO 27001 core processes are risk assessment and risk treatment. Business Impact Analysis is a requirement for ISO 22301, the ISO standard for the management of business continuity.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 24, 2021

Mar 24, 2021

Suggested Topics

Guest user Created:   May 09, 2019 ISO 27001 & 22301
Replies: 1
0 0

Confidentiality levels

Guest user Created:   May 07, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment

Guest user Created:   May 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment treatment