We've received the following question:
I did risk assessment/management programs but my approach was identify assets, then threats...so on. I read new version does not recommend this approach of identifying asset n so on but they recommend to find risk in associated with the env environment and so on...
In fact there no specif requirement on that approach but there is still a requirement on assets inventory and in order to control those assets, it is good practice to address threats and vulnerabilities on those assets, so you can follow ISO 27005 approach.
The new risk approach alignment sugestion in 2013 version has a wider coverage and give the opportunity to the organization to address the context risks of the business, providing lines of thought for internal and external issues that are relevant for the business.
ISO 27005 is more focused in Information Security and ISO 31000 is a framework that can be used to address those internal and external issues as well as Information security.
In the new version you can used the approach that may suite better for your needs. As a detailed methodology for Information Security Risk Management, ISO 27005 is more practicable, than ISO 31000, on the other hand, ISO 31000 provides a better guidance on addressing the context analysis. So it is up to your organization on choosing any of the approaches or even both.
Hope it helps
Assign topic to the user
Please select user.