Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Impact correlation between multiple risks

  Quote
Guest
Guest user Created:   Feb 14, 2023 Last commented:   Feb 14, 2023

Impact correlation between multiple risks

Hi Dejan,

I’ve a question regarding the correlation between multiple risks and the impact evaluation of these correlating risks.

Lets say I have these 2 risks:

·  Risk 1

o Asset: Office room

o Vulnerability: Lack of access controls to facilities, rooms or offices

o Threat: Unauthorized entry into facilities, rooms or offices

·  Risk 2

o Asset: Printer

o Vulnerability: Network devices inadequately physically protected

o Threat: Unauthorized access to equipment

Now during impact evaluation, I would assess the impact of each risk for itself as medium. But if both risks materialize at the same time I would assess each a high risk because this would mean an unknown person instead of an employee would access the printer. How would you represent the combination of both risks during risk assessment?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 14, 2023

Since you are considering the situation where both risks materialize at the same time, the best way to record it is as a single risk, considering as the asset the one directly handling the information. Considering your example:

  • New risk

    • o Asset: Printer

      o Vulnerability: Lack of access controls to facilities, rooms, or offices

      o Threat: Unauthorized entry into facilities, rooms, or offices

    Please note that this new risk considers the asset of the printer (which has the information) and the situation related to unauthorized access is used as a threat. Changing risk value according to different scenarios, instead of recording a new risk, will only make your assessment unnecessarily more complex.

    This article will provide you with further explanation about risk assessment:

    Quote
    0 1

    Comment as guest or Sign in

    HTML tags are not allowed

    Feb 14, 2023

    Feb 14, 2023