ISO 27001 Asset-based risk assessment
Quick question, please. When doing an ISO 27001 Asset-based risk assessment, do I keep the assets that have no impact on information security still in the risk assessment matrix or do I only keep assets that have an impact on information security
Assign topic to the user
I'm assuming that by asset-based risk assessment you mean the asset-threat-vulnerability approach.
Considering that, even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First, because this way you can keep track of already identified sets of assets-threats-vulnerabilities you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since the risk is a dynamic variable, in a future assessment these sets may indeed raise a risk that may require treatment (e.g. due to a technological change or new legislation).
These articles will provide you a further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Sep 17, 2020