Risk Approach in ISO 27001:2013

Recently we had a confusion, whether to go with ISO 27001:2013 risk method or 31000:2009 method. 31000 asks us to find all the issues and then find the risk?

Here is my Question

1. Which method to follow for Risk Assessment

2. Is there any way of merging both? i.e. 31000 and 27001? Please help on this.

Thanks,

Vijay

First of all, in the new ISO 27001:2013 is not a requisite to have a methodology for the risk assessment & treatment based on Assets-Threats-Vulnerabilities. So, ISO 27001:2013 leaves you the freedom to identify risks any way you want, although we recommend you to keep your current methodology, because it is ok for the standard.

There is no risk method established in the ISO 27001:2013. There are requirements that you need to comply to perform the risk assessment & treatment in accordance with ISO 27001:2013, but it is not established by this standard how you have to do it. To do this, you can use the ISO 27005, which is a standard that gives you a code of best practices to develop your methodology. ISO 27005 is very similar to ISO 31000 (they have the same structure), but ISO 27005 is focused in risks of information security, and ISO 31000 is focused in any type of risks (information security, environmental, financial, etc.).

So, you can use ISO 31000 to develop your risk methodology, but if you want to work only with risk related to information security, our recommen dation is ISO 27005.

If you want to know more about the relationship between ISO 27001, ISO 31000 and ISO 27005, you can read this article "ISO 31000 and ISO 27001 - How are they related?" : https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/
Finally, you can also consider to use our Risk Assessment and Risk Treatment Methodology, which is also based on ISO 27005 (you can see a free version clicking on "Free Demo" tab) "Risk Assessment and Risk Treatment Methodology" : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

Thanks for the reply.

But the standard document from 27001:2013, states to follow ISO 31000 rather than 27005. It is no where specified to follow 27005. Our auditors wants us to go with the 31000.

We are now working on the identification of issues. Is there any catalogue of issues or any template is there to help us. Can you tell us the step by step process to move forward.

Many Thanks,

Vijay

In my view, following 31000 will be much helpful since it covers the issues in all areas, whereas, 27005 focuses only on Asset.

You are right, as I said in my previous message, ISO 27005 and ISO 31000 have the same structure, even the ISO 27005 refers to the structure of the risk management process of ISO 31000, because it is more global and generic, but if you work only with risks related to information security is much better ISO 27005, because you can find on it things that ISO 31000 does not have, for example, a catalogue of threats and vulnerabilities for information security.

For the identification of issues, basically you need to identify internal and external issues. For internal issues, you must make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles and responsibilities and capabilities. For external issues you simply need to identify interested parties. Anyway, for more information about this, you can read this article "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
And also this article can be interesting for you "How to identify interested parties according to ISO 27001 and ISO 22301" : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Regarding to your second question, I agree with you in that ISO 31000 can be much helpful if you need a generic methodology (not only based on information security), and ISO 27005 talks about assets because it was developed for ISO 27001:2005. I suppose that the next version of ISO 27005, will be aligned with ISO 27001:2013.