Information Security Risk Assessment
Assign topic to the user
From my point of view you need to categorize assets. For example: Information (Customer information, payroll information, etc), Software (Navision, MS-SQL), Hardware (PCs, file servers, backups tapes). These assets are different (different type) and they have different threats/vulnerabilities, so it is important the distinction.
Regarding the point 2 of your approach, remember that you also need to consider the impact in case the integrity and availability of each asset.
Other comments: You need also to include assets like infrastructure, people, etc. Identify the asset owner, determine which risks are not acceptable, and the the calculation of the value of the assets is not necessary if you assess the impact. See this article "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, this article can be interesting for you "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And maybe can be interesting for you these articles:
"How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
"How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Jan 13, 2016