Guest user Created: Feb 24, 2017 Last commented: Feb 24, 2017

How many threats and vulnerabilities to display

I've got another question about the ISO 27001 Risk Assessment Table. In this table, should I only focus on the threats and vulnerabilities that are likely to happen, or can I include every possible option? How wide can and should I go? Because in the example I have seen on the video tutorial, you used 'flood' as a possible threat, which is very unlikely to happen I suppose. So does it matter if / is it necessary that I include all possible threats with a likelihood score of 0?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Feb 24, 2017

Answer: Theoretically, you should include every possible option, i.e. combination of threats and vulnerabilities related to each threat, even if their value is 0. However, in my opinion you shouldn't list more than 5 threats for each asset, and more than 2 vulnerabilities for each threat.

This article will give you more explanation: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 24, 2017

Expert Advice Community