Impact correlation between multiple risks
Hi Dejan,
I’ve a question regarding the correlation between multiple risks and the impact evaluation of these correlating risks.
Lets say I have these 2 risks:
· Risk 1
o Asset: Office room
o Vulnerability: Lack of access controls to facilities, rooms or offices
o Threat: Unauthorized entry into facilities, rooms or offices
· Risk 2
o Asset: Printer
o Vulnerability: Network devices inadequately physically protected
o Threat: Unauthorized access to equipment
Now during impact evaluation, I would assess the impact of each risk for itself as medium. But if both risks materialize at the same time I would assess each a high risk because this would mean an unknown person instead of an employee would access the printer. How would you represent the combination of both risks during risk assessment?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Since you are considering the situation where both risks materialize at the same time, the best way to record it is as a single risk, considering as the asset the one directly handling the information. Considering your example:
-
o Asset: Printer
o Vulnerability: Lack of access controls to facilities, rooms, or offices
o Threat: Unauthorized entry into facilities, rooms, or offices
Please note that this new risk considers the asset of the printer (which has the information) and the situation related to unauthorized access is used as a threat. Changing risk value according to different scenarios, instead of recording a new risk, will only make your assessment unnecessarily more complex.
This article will provide you with further explanation about risk assessment:
Comment as guest or Sign in
Feb 14, 2023