How to write ISO 27001 risk assessment methodology
Assign topic to the user
maybe you can answer one question for me beforehand.... how exactly does one evaluate the impact of a risk.. you know.. the percentage stuff.. say for examble an insider incident... an insider exploits their access to steal or modify information.. how do I evaluate the raw probability and the raw impact?
Answer:
For me it is more easy to use scales, for example: Low, Medium or High - if you explain precisely what each of these grades mean, then it will be rather easy to assess impact or likelihood. If you want, you can see how it's done in our template Risk Assessment and Risk Treatment Methodology: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Also you can read this article where we talk about How to write ISO 27001 risk assessment methodology: https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Comment as guest or Sign in
Jan 12, 2016