Hybrid approach for risk assessment
Can we perform Hybrid approach (Service based & Asset based) risk assessment? Also, can we create the process /methodology document likewise?
Assign topic to the user
Answer: ISO 27001 does not prescribe any approach for risk assessment, so you can adopt the one that better suits your organization, even a hybrid one. The same applies for the process/methodology. You can create your own, provided this one fulfills the requirements from the standard.
But please note that you have to verify if the benefits of adopting a hybrid approach will be greater than the complexity required to perform it.
For information about alternative approaches for risk identification, please read:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
Comment as guest or Sign in
Sep 06, 2019