Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Impact in the ISO 27001

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Impact in the ISO 27001

 1. When we say impact of a threat do we mean the impact on the user of the asset or the organization?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 12, 2016

   2. What's is exactly the type of impact we are referring to? Is it monetary or operational impact? e.g. the impact of a server is down may not have cost but delay in doing work for some users but no monetary impact so how we describe such impact?

   3. When doing the risk assessment in ISO22301 (BCM) do we only assess the impact in terms of availability?

   4. Do we identify an asset as a whole (i.e. hardware and software in case of a server) or not?

 

Answer:

1. The impact of a threat affects to the organization. 
 
2. The impact has to be assessed in terms of the damage to Confidentiality, Integrity and the Availability of the information.
 
If a server (with critical information) is down, it can be a risk for the organization (which can be based on the Likelihood and the Impact of threats). How can calculate it? I recommend you this free webinar “The basics of risk assessment and treatment according to ISO 27001” : https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
 
Also I recommend you to see our methodology (you can see a free version if you click on “Free Demo” tab): https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
  
3. Yes, in this case the risk assessment of the ISO 27001 is more complete, and you also use it for the ISO 22301. Please read this article “Can ISO 27001 risk assessment be used for ISO 22301?” : https://advisera.com/27001academy/blog/2013/03/11/can-iso-27001-risk-assessment-be-used-for-iso-22301/
 

4. For me is better to identify each type of asset in a different way. For example: machine HP DL-380 (type hardware), Windows 2003 server (type software), electronic documents, procedures, etc (type Information). Why? Because threats that affects to the software are not the same that threats that affects to the hardware and the Information. For more information about register assets, please read this article “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics