gabryprof Created: Jun 21, 2016 Last commented: Jun 22, 2016

Problem in describing risks

In stage 1 audit the auditor raised the following non conformity: " Information security risks are not directly ad explicitly described in risk assessment table, but by means of the threats that may cause them and the vulnerabilities that may be exploited". Now I have to write a description for each risk. I wonder whether, if threat is "wrong update" and vulnerability is "poor release management" for a software asset, I have to write "A wrong update can be performed by mistake". I'll do it, but for me it's useless. I'm using your risk assessment table, where dat are enough to identify risks.

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 22, 2016

ISO 27001:2013 does not require risk description, what it does require in clause 6.1.2 c) 1) is to identify the risks - the asset-based methodology we are using in the toolkit is the most widely used methodology for identifying the risks. Actually, this was a mandatory methodology by the previous 2005 revision of ISO 27001, and is still in use in most of the companies.

So, if you have identified all the assets and their related threats and vulnerabilities, then I would challenge this auditor and ask him to reference to a clause of the standard that requires the "description".

If you want, you can send me your Risk assessment table to my email and I'll review it, just to make sure it is done properly.

Quote

0 0

Guest

gabryprof Jun 22, 2016

Thank you, but it is written in italian language. I should translate it.

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 21, 2016

Jun 22, 2016

Expert Advice Community