Qualitative and/or Quantitative Risk Assessment
Assign topic to the user
Ysong,
ISO 27001 does not prevent you from mixing the qualitative and quantitative risk assessment, but frankly speaking such approach would be very unusual, and not very practical.
The problem is that you have to assess consequences and likelihood in order to calculate the level of risk. If you have both consequence and likelihood assessed qualitatively (e.g. using scale 1 to 5), then it is not difficult to calculate the level of risk; however if your consequence is e.g. 2, and your likelihood e.g. 13%, you wouldn't be able to use formula - you would need to use tables with pre-defined logic, which could complicate the calculation.
Comment as guest or Sign in
Jan 12, 2016