Expert Advice Community

Guest

Questions about risk assessment and treatment

  Quote
Guest
Guest user Created:   Aug 13, 2019 Last commented:   Aug 14, 2019

Questions about risk assessment and treatment

Last year I bought ISO 27001 package to implement a ISMS for a customer. I Used all the documentation but the auditor wants to know the risk analysis method used( méhari? Ébiseler? Etc....)
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 13, 2019
1 And my question : What is the method used on your template ?

Answer:

The documentation in the FR ISO 27001 Documentation Toolkit related to risk assessment and risk treatment is based on the asset-vulnerability-threat method. This method is one of the methods recommended by ISO 27005, a supporting standard providing guidance on information security risk management.

For more information about this approach, please read:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2. What is the risk if we don’t used a market method?

Answer:

ISO 27001 does not prescribe a risk assessment and treatment to be adopted, so organizations can adopt the approach that best suits them, either market methods or a method developed by the own organization (provided that this method fulfills standard's requirements).

It is important to note that there is no "risk" in using any method, as long such method has all five mandatory elements required by ISO 27001: (1) identification of risk, (2) identification of risk owner, (3) assessment of impact and likelihood, (4) calculating the level of risk, and (5) define acceptable level of risk.
Quote
0 1
Expert
Rhand Leal Aug 14, 2019
This excerpt you presented fulfills correctly the fields in the risk assessment table, so if the rest of the matrix is filled similarly you can consider this table compliant with ISO 27001 requirements for the risk assessment process.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 13, 2019

Aug 14, 2019

Suggested Topics