Question about the risk assessment table
Assign topic to the user
ISO 27001 does not prescribe a detailed level for risk assessment and risk treatment, so organizations are free to define the detail level they see fit to provide them the confidence they are treating risk properly.
For example, for some organizations naming an asset as a “database” is enough to map all relevant risks, while for others they find it more useful to use specific assets for different databases because they have different risks specific for each one.
Another good example is the asset “laptop”, for which you can list all common risks, and then add assets like “development laptop” and “sales laptop”, for which you identify specific risks related to the activities they are used to.
Comment as guest or Sign in
Jan 05, 2022