Is assessing asset value mandatory?
Assign topic to the user
It is very useful. A clarification: In your Risk value calculation, you are considering only the Impact & Probability.
Do we have to consider the Asset value also. Please clarify.
Answer:
ISO 27001 does not require you to assess the asset value - this is actually one of the greatest myths about risk assessment; what ISO 27001 does require you is to assess impact and likelihood. Of course, if you want to, you can assess asset value, but then you should assess these 3 items: asset value, threats and vulnerabilities (instead of only impact and likelihood).
This article explains this into more detail: How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Feb 08, 2016