Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Information Security Risk Assessment

  Quote
Guest
Guest post Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Information Security Risk Assessment

Hello there i am in the process of performing risk assessment for all departments of the company.  i followed that approach for identification and evaluation of the asset value: 1- interviewed each head of department. identified information assets (started with electronic data). for each information asset (electronic data) - for example customer information, payroll information, etc. identified the asset containers (where such assets are stored (for example - Navision application, MS-sql database, user's PC, company file servers, backup tapes, etc.).  2- Interviewed each head of department in relation to information asset value (which is based to a predefined BIA matrix). for example what could be the impact in case the confidentiality of the information asset is compromise. i used values low - moderate - high. and i repeated that for each asset. 3- based to that information i put the value of information asset containers to max of the asset values that store (for example if NAVISION has customer information (moderate) and payroll information (high) - then i put the value of confidentiality for NAVISION to high. 4- during interviews I identified around 50 information assets (electronic data) and i mapped them to 5 information assets (navision and its related infrastructure (ms-sql and windows), file server, User PCs and backup tapes). all of them were rating as high (using the above mentioned logic). 5- after that i identified threats/vulnerabiltiies for each of these 5 assets. 6- i calculated risks using formula = propability * impact (which is evaluated in point 3). please let me know if this correct.. or i am missing something. thanks
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
AntonioS Jan 13, 2016

From my point of view you need to categorize assets. For example: Information (Customer information, payroll information, etc), Software (Navision, MS-SQL), Hardware (PCs, file servers, backups tapes). These assets are different (different type) and they have different threats/vulnerabilities, so it is important the distinction.

Regarding the point 2 of your approach, remember that you also need to consider the impact in case the integrity and availability of each asset.

Other comments: You need also to include assets like infrastructure, people, etc. Identify the asset owner, determine which risks are not acceptable, and the the calculation of the value of the assets is not necessary if you assess the impact. See this article "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, this article can be interesting for you "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And maybe can be interesting for you these articles:
"How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/ 
"How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016