Performing risk assessment
Assign topic to the user
Answer:
The reason why we do not have articles on defining the asset value is that it is not prescribed by the standard, and it only complicates the risk assessment if you already assess the level of impact. The point is, if you use the asset-based approach you need to identify risk by listing assets (without evaluating them), threats and vulnerabilities, evaluate impact (taking into account C-I-A) and likelihood, calculate the le vel of risk, and define the risk owner - nothing more.
This article can provide you further information about asset-based risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Aug 13, 2019