Inputs for risk assessment

Answer:

First it is important to note that ISO 27001 does not prescribe how risk assessment must be performed, and there are approaches that use lists of assets and others that do not. BIA is also not need to perform risk assessment.

Additionally, for those approaches that use lists of assets, there is no need for the assets to be classified.

Finally, what triggers the risk assessment is the need to protect information in the ISMS scope. Internal and external issues are one of the inputs for the risk assessment, but they do not start the process.

Considering that, I sug gest you to perform risk assessment based on the asset-vulnerability-threat approach by considering the involvement of the personnel which are responsible by the assets they identify as the most relevant in the scope of the risk assessment.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Thanks Rhand, For your response, "sug gest you to perform risk assessment based on the asset-vulnerability-threat approach by considering the involvement of the personnel which are responsible by the assets they identify as the most relevant in the scope of the risk assessment."

I understand this way but also have a question
Step 1: List assets & the trigger from Internal and external issues (within ISMS Scope) - Perform CIA is addressed High/Medium/VH Step Step 2: For Medium and High/VH from Step 1, list Threats & Vulnerabilities, the calculate probability & impact rating that has values (based on what we define)
Quest: where do we determine risk here. where do we write risk or do we need a column here for writing risk? As I see only threats, vulnerabilities, Probability impact and risk rating.
Step 3: Input from Step 2 prioritised risks to address. Where do we write risks (I see only threat and vulnerabilities and risk ranking that we will further address.
Step 3: Based on higher risk rating we Select controls. Find gaps and adress.
Step 4: SoA

Dejan,

The explanati on of First step to start with threat and vulnerabilities thereby aligning to assets within the ISMS scope is an interesting write. But lag in understanding how to define the overall definitions.

Thank you :)
Lakshmi

>I understand this way but also have a question

>Step 1: List assets & the trigger from Internal and external issues (within ISMS Scope) – >Perform CIA is addressed High/Medium/VH

Answer: Internal and external issues are only part of the elements used to identify assets for the risk assessment. The best way to build asset inventory is to interview the head of each department, and list all the assets a department uses. The easiest is the “describe-what-you-see” technique – basically, ask this person e.g. to list all the software that he or she sees that are installed on the computer, all the documents in their folders and file cabinets, all the people working in the department, all the equipment seen in their offices, etc.

For further information, see: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

>Step Step 2: For Medium and High/VH from Step 1, list Threats & Vulnerabilities, the calculate probability & impact rating that has values (based on what we define)

>Question: where do we determine risk here. where do we write risk or do we need a column here for writing risk? As I see only threats, vulnerabilities, Probability impact and risk rating.

Answer: First it is important to note that when performing risk identification through asset-vulnerability-threat approach you do not write a risk text (e.g., risk of data loss due equipment failure). In this approach the identification of the relation asset-vulnerability-threat is the risk statement (e.g., paper report - single copy - fire, or electronic record - single copy - storage unit failure).

>Step 3: Input from Step 2 prioritized risks to address. Where do we write risks (I see only threat and vulnerabilities and risk ranking that we will further address.
>Step 3: Based on higher risk rating we Select controls. Find gaps and adress.
>Step 4: SoA

>Dejan, the explanation of First step to start with threat and vulnerabilities thereby aligning to assets within the ISMS scope is an interesting write. But lag in understanding how to define the overall definitions.

Answer: For better understanding of the overall risk assessment process I suggest you to see this webinar:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/