Risk assessment

The point is, I believe that risk assessments often use tables to analyze the variables. My doubt is how can someone make the necessary analysis of assets, threats and vulnerabilities since there are so many options of them to a single asset? I believe that pointing out all of them would make the analysis larger than it needs to be and it probably wouldn’t be so functional, so probably in the assessments, the standards and laws do not require a full analysis of all assets/procedures.

For example, if I added “hardware” in the table from one of your lectures. Let’s say the risk owner would be the CSO, the threats could be: the CSO himself (due to his actions), fire, electricity outage, unauthorized access, theft, hacking, among many others.

For all these threats is possible to establish a control method to reduce or avoid it, but adding all these point in the inventory table below would make it less effective I guess.

Answer: To make your risk assessment more effective, you should consider the assets, threats, and vulnerabilities to be analysed in terms of the requirements your ISMS must fulfill (e.g., laws, regulations, contracts, business objectives, etc.). By this approach, your assessment will focus on risks that can have perceivable impacts on the business.

Regarding the quantity of elements, I generally use the approach of performing the risk assessment in cycles, where in each cycle I work on a small quantity of risks (5 to 10), also limiting the quantity of assets, threats and vulnerabilities. First I start with the ones perceived as the highest. After each assessment, if I conclude the overall risk level is still unacceptable I perform another cycle (in general I need three to four cycles to finish the assessment). This way you can cover both the highest perceived risks and a quantity of risk that your resources are capable to handle.

2 - Concluding my question, what are the main metrics to establish the main threats and vulnerabilities to an asset, reducing the table and improving effectiveness?

Answer: For the identification of main threats and vulnerabilities to an asset you can rely on historical data (from your own organization or related to your general industry), expert opinion, or specialized material, such as standards recommendations.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

These materials will also help you regarding risk assessment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/