Expert Advice Community

Guest

ISO and COBIT

  Quote
Guest
Guest user Created:   Dec 03, 2018 Last commented:   Dec 03, 2018

ISO and COBIT

I have some question to ask you related to risk assessment as below:
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 03, 2018

1- If my company require to follow both standard ISO and COBIT, so what will be affect to the IT Risk Management Process? which standard should I follow for implement IT Risk Management?

Answer: ISO and COBIT requirements for risk management are very similar (identify, analyse, evaluate and treat the risks), the difference being that for ISO 27001 you have to consider effects of risks on information (in terms of confidentiality, integrity, and availability), while for COBIT you have to consider risks for IT assets (e.g., hardware and software) not related only to information (e.g., risks related to operational performance or cost efficiency). Considering that, if you follow both standards, your IT Risk Management Process will have to include evaluation criteria related to information security and assess and treat risks also considering how the affected IT assets will impact information.

Regarding implementation, ISO 27001 only requires the definition of a methodolog y, while COBIT also provides details about risk management, so you can use COBIT approach.

For more information, please read: How to integrate COSO, COBIT, and ISO 27001 frameworks https://advisera.com/27001academy/blog/2016/10/10/how-to-integrate-coso-cobit-and-iso-27001-frameworks/

2 - I got many assets and applications in my company, I want to do IT risk management on some asset and application by following ISO 27001:2013 and the remain asset and application I will do the IT Risk management later, I wonder that if I do like this the SOA is remain the same or different?

Answer: The SoA covers the controls applicable to treat risks related to information security, so if the IT risk assessment you perform later does not identify additional risks (please review the previous answer) that can affect information, then the SoA will not change. On the other hand, if a risk affecting an IT asset will also impact information and this one is considered unacceptable and you have to implement a new control, listed or not on ISO 27001 Annex A (e.g., a control required by COBIT), then this situation will require you to change your SoA (you can included on SoA controls not listed on ISO 27001 Annex A if these controls will treat information security related risks).

For more information, please read: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

3 - Could you please explain and give an example related to Quantitative and Qualitative term of risk assessment?

Answer: In qualitative risk assessment, the focus is on interested parties’ perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc.). This perception is represented in scales such as “low – medium – high” or “1 – 2 – 3,” which are used to define risk’s final value.

In quantitative risk assessment, the focus is on factual and measurable data, with highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms.

This article will provide you further explanation, and detailed examples about quantitative and qualitative risk assessment:
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 03, 2018

Dec 03, 2018

Suggested Topics

Guest user Created:   Dec 31, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk management approach

Guest user Created:   Jan 25, 2019 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 and COBIT