Expert Advice Community

Guest

ISO 27001 Asset-based risk assessment

  Quote
Guest
Guest user Created:   Sep 17, 2020 Last commented:   Sep 17, 2020

ISO 27001 Asset-based risk assessment

Quick question, please. When doing an ISO 27001 Asset-based risk assessment, do I keep the assets that have no impact on information security still in the risk assessment matrix or do I only keep assets that have an impact on information security

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 17, 2020

I'm assuming that by asset-based risk assessment you mean the asset-threat-vulnerability approach.

Considering that, even in case a set of asset-threat-vulnerability rises no risk to the information that is part of the ISMS scope, you should maintain it in the Risk Assessment, for record purposes. First, because this way you can keep track of already identified sets of assets-threats-vulnerabilities you thought were relevant, which in future assessments will save you time in risk identification (you will not need to work on the identification of these risks again), and since the risk is a dynamic variable, in a future assessment these sets may indeed raise a risk that may require treatment (e.g. due to a technological change or new legislation).

These articles will provide you a further explanation about risk assessment:

These materials will also help you regarding risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 17, 2020

Sep 17, 2020

Suggested Topics