Enterprise risk management and ISO 27001
Assign topic to the user
2. The revised standard expect to incorporate the information security risk with the other enterprise level risk framework
Given the above two expectation, can you pls elaborate how we could integrate the asset base approach and enterprise level risk?
Answer:
First of all, ISO 31000 is not mandatory for ISO 27001:2013 - see this article: ISO 31000 and ISO 27001 How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
Second, information security risks are only a subset of enterprise risks - therefore, you cannot cover all the enterprise risks with information security risk assessment.
Therefore, in my opinion the bes t solution is to use more detailed methodology (e.g. asset based or similar) for information security risk assessment, and use some other methodology for other risks in your company.
Comment as guest or Sign in
Jan 12, 2016