Assign topic to the user
Qualitative risk assessment is based on perceptions and judgements to assess probabilities and impacts, does not make use of complex mathematical analysis, and its results makes sense only in the context of the analysis, generally represented by scales like “low, medium and high” or “80 in a scale from 0 to 99” (e.g., high risk of data loss, or a risk of data loss of 80 in a scale from 0 to 99 ). 99% of the companies use qualitative assessment to perform quick assessments in simple situations or to help identify risks that requires further analysis when they have many risks to work on.
On the other hand, quantitative risk assessment is based on heavy use of mathematics (e.g., statistical distribution) and simulation tools to assess probabilities and impacts, and its results makes sense outside the context of the analysis, generally in terms of money and time impacts if a risk occurs in a specific period (e.g., 30% of chance of data loss results in a loss of 550k if the risk occurs in the next five years). Terms related to quantitative risk assessment are ROSI, SLE, ARO and ALE, which you can know more by watching this free webinar:
- ISO 27001 benefits: How to obtain management support https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
These materials will also help you regarding qualitative risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 11, 2017