Guest post Created: Jan 12, 2016 Last commented: Jan 12, 2016

Qualitative and/or Quantitative Risk Assessment

Hi, Dejan, Understand that we can use Qualitative or Quantitative approach to the risk assessment, can we use both in the methodology? i.e. Qualitative to define Consequences, and Quantitative to define Likelihood? Regards, ys

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Ysong,

ISO 27001 does not prevent you from mixing the qualitative and quantitative risk assessment, but frankly speaking such approach would be very unusual, and not very practical.

The problem is that you have to assess consequences and likelihood in order to calculate the level of risk. If you have both consequence and likelihood assessed qualitatively (e.g. using scale 1 to 5), then it is not difficult to calculate the level of risk; however if your consequence is e.g. 2, and your likelihood e.g. 13%, you wouldn't be able to use formula - you would need to use tables with pre-defined logic, which could complicate the calculation.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community