Differences between process based and asset based risk assessments

Answer:

On asset based risk assessment you work with elements of your scenario (assets) and elements that affect them (vulnerabilities and threats) to assess the risk. On the other hand, on process based risk assessment you work with situations, not needing to describe assets, vulnerabilities and threats to assess the risk.

Example for asset based risk assessment: you can take a server as asset, an outdated anti-malware software as vulnerability, and a virus as threat, to assess the risk.

Example for process based risk assessment: you can use a payment process failure (regardless of the assets involved) to assess the risk.

This article will provide you further explanation about ISO 31010:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/

Process based approach is far better than asset based since it allows even non technical risks which poses the security risks to the information assets. E.g. someone not following the security policy. now this cannot be detected through Asset based risk management.

Best approach is to use combined approach. During the process based Risk Assessment, make sure to identify the IT assets supporting the process and risks related to those assets.