First of all, I wish you all the best for this new year, to you, the whole Advisera team as well as your loved ones.
Starting this new year with our Risk Assessment Table, I was wondering how detailed it should be. I'm sure that, by thinking about it, I could add and add specific points, but I'll have to stop at a certain point.
Any general advice about this?
more concretely, as our ISO 27001 certification is focused on our SaaS platform, we use a lot of different cloud providers resources, like databases, servers, and many different tools.
Is this a best practice to list them all and find potential threats and vulnerabilities for each one?
- We use *** and *** as 2 separate databases. Should I list both of them or can I "simply" mention that we use "databases" and find threats and vulnerabilities that are applicable to both of them?
- We use *** and *** as documentation tools (that can include sensitive information). Should I address them separately?
ISO 27001 does not prescribe a detailed level for risk assessment and risk treatment, so organizations are free to define the detail level they see fit to provide them the confidence they are treating risk properly.
For example, for some organizations naming an asset as a “database” is enough to map all relevant risks, while for others they find it more useful to use specific assets for different databases because they have different risks specific for each one.
Another good example is the asset “laptop”, for which you can list all common risks, and then add assets like “development laptop” and “sales laptop”, for which you identify specific risks related to the activities they are used to.