Guest user Created: Aug 13, 2019 Last commented: Aug 13, 2019

Performing risk assessment

Hi I follow your articles diligently all of them; big admirer of your know how. One topic I couldn't find detail was actually doing Risk Analysis. Issue is when we do RA, we have defined Assets and then put owner and then C I A value; in assigning CIA values for different assets, would it be done based on value of that asset to company or threat marked for that asset. Which method would be correct, as I haven't seen any article anywhere explaining this. If it is based on value of that asset to company then chance is CIA markings for a asset would be same for different threat for a company, would it be correct?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 13, 2019

Answer:

The reason why we do not have articles on defining the asset value is that it is not prescribed by the standard, and it only complicates the risk assessment if you already assess the level of impact. The point is, if you use the asset-based approach you need to identify risk by listing assets (without evaluating them), threats and vulnerabilities, evaluate impact (taking into account C-I-A) and likelihood, calculate the le vel of risk, and define the risk owner - nothing more.

This article can provide you further information about asset-based risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 13, 2019

Expert Advice Community