In the Inventory of assets table there is a column with heading “Impact”. The instruction at the top of the table states that one should copy the score from the Risk Assessment table. However, each item from the Inventory of Assets table may have several risks attached to it in the Risk Assessment table. Moreover if one uses the suggested scores by Advisera (0, 1, 2) for both Consequence and Likelyhood, most assets can have several scores between 0 and 4. What am I to do with the Impact column and what is the significance of this column? In other words what does it add to the entire system? If I should copy all scores then I need to copy all risk descriptions as well. This seems like a lot of unnecessary work. Can you please advise?
In case multiple risks are associated with an asset, then you must use the highest impact level associated to these risks. The purpose of the impact column is to give the organization a compr ehensive view of the most relevant assets of the organization regarding information security. This can help you prioritize and allocate resources to protect information.