People "asset" for risk assessment
Assign topic to the user
Answer:
I am sorry but in the ISO 27001:2013 it is not necessary to identify confidentiality, integrity and availability requirements of “people” assets for risk assessment, because the term “assets” is not used in the new ISO 27001:2013 (you can develop your own methodology for the risk management, I mean, it is not mandatory to have a methodology based on assets).
Anyway, if you have a methodology asset based, you need to identify threats/vulnerabilities related to each asset, so in the case of assets of type people, a threat can be unavailability of a person, and a vulnerability can be no replacement for the position of this person (which can be considered a potential loss of availability), other threat can be frequent errors, and a vulnerability can be lack of training (which can be considered a potential loss of integrity and availability), and other threat can be illegal processing of data, and a vulnerability can be lack of monitoring mechanisms (which can be considered a potential loss of confidentiality).
For more information about this, please read this article “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
And our online course can be also interesting for you because we also give information about the risk assessment, including the asset inventory “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 18, 2016