Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Differences between process based and asset based risk assessments

  Quote
Guest
Guest user Created:   Nov 24, 2018 Last commented:   Aug 02, 2020

Differences between process based and asset based risk assessments

What is exactly difference criteria for process based and asset based risk assessment ?
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 24, 2018

Answer:

On asset based risk assessment you work with elements of your scenario (assets) and elements that affect them (vulnerabilities and threats) to assess the risk. On the other hand, on process based risk assessment you work with situations, not needing to describe assets, vulnerabilities and threats to assess the risk.

Example for asset based risk assessment: you can take a server as asset, an outdated anti-malware software as vulnerability, and a virus as threat, to assess the risk.

Example for process based risk assessment: you can use a payment process failure (regardless of the assets involved) to assess the risk.

This article will provide you further explanation about ISO 31010:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

Quote
0 3
Guest
Mahesh Vagadiya Aug 02, 2020

Process based approach is far better than asset based since it allows even non technical risks which poses the security risks to the information assets. E.g. someone not following the security policy. now this cannot be detected through Asset based risk management.

Quote
0 3
Guest
Mahesh Vagadiya Aug 02, 2020

Best approach is to use combined approach. During the process based Risk Assessment, make sure to identify the IT assets supporting the process and risks related to those assets.

Quote
0 2

Comment as guest or Sign in

HTML tags are not allowed

Nov 24, 2018

Aug 02, 2020

Suggested Topics

Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan

Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations