Expert Advice Community

Home / ISO 27001 & 22301 / Is assessing asset value mandatory?

Guest

Is assessing asset value mandatory?

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Feb 08, 2016 Last commented:   Feb 08, 2016

Is assessing asset value mandatory?

ISO 27001 & 22301
I happened to listen to the recording of your webinar on 'Basics of RIsk Assessment and Treatment'.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Dejan Kosutic Feb 08, 2016

It is very useful. A clarification: In your Risk value calculation, you are considering only the Impact & Probability.
Do we have to consider the Asset value also. Please clarify.

Answer:

ISO 27001 does not require you to assess the asset value - this is actually one of the greatest myths about risk assessment; what ISO 27001 does require you is to assess impact and likelihood. Of course, if you want to, you can assess asset value, but then you should assess these 3 items: asset value, threats and vulnerabilities (instead of only impact and likelihood).

This article explains this into more detail: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 08, 2016

Feb 08, 2016

Suggested Topics
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Question on risk register and selection of the assets
Guest user Created:   Sep 20, 2023 ISO 27001 & 22301
Replies: 1
0 0

Asset and Risk Owners - can it be a role and also a name of an employee
Guest user Created:   Aug 10, 2023 ISO 27001 & 22301
Replies: 1
0 0

What asset to list when Risks relate to general or high-level assets?