Qualitative and quantitative risk assessment
Assign topic to the user
You can use a mix of both as long as you are able to produce consistent and comparable results - e.g. you can use qualitative risk assessment for all risks, and then quantitative risk assessment only for the biggest risks. Keep in mind that the ISO 27001 not establishes how you have to develop your methodology. If you want to know the basic steps of our methodology (very easy and helpful), please read this article ISO 27001 risk assessment & treatment 6 basic steps": https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Comment as guest or Sign in
Jan 12, 2016