Questions about risk assessment and treatment
Assign topic to the user
1 And my question : What is the method used on your template ?
Answer:
The documentation in the FR ISO 27001 Documentation Toolkit related to risk assessment and risk treatment is based on the asset-vulnerability-threat method. This method is one of the methods recommended by ISO 27005, a supporting standard providing guidance on information security risk management.
For more information about this approach, please read:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
2. What is the risk if we don’t used a market method?
Answer:
ISO 27001 does not prescribe a risk assessment and treatment to be adopted, so organizations can adopt the approach that best suits them, either market methods or a method developed by the own organization (provided that this method fulfills standard's requirements).
It is important to note that there is no "risk" in using any method, as long such method has all five mandatory elements required by ISO 27001: (1) identification of risk, (2) identification of risk owner, (3) assessment of impact and likelihood, (4) calculating the level of risk, and (5) define acceptable level of risk.
This excerpt you presented fulfills correctly the fields in the risk assessment table, so if the rest of the matrix is filled similarly you can consider this table compliant with ISO 27001 requirements for the risk assessment process.
Comment as guest or Sign in
Aug 14, 2019