Risk Assessment
Looking for your expert opinion.
Background:My ISMS scope consist of 3 scopes :1) Data Center 2) Portal Maintenance & 3) A critical business process e.g: driving license application
Question: Can I use asset based risk assessment or should I use process based risk assessment? Appreciate your expert view.
Assign topic to the user
First is important to note that ISO 27001 does not prescribe an approach to be used for risk assessment, only what must be performed.
Considering that, we generally recommend the asset-based risk assessment, because it is easier to perform. However, with the process-based risk assessment you can have a more understandable context to identify and evaluate risks, so the decision about which approach to use will depend on the competencies you have available and objectives you want to achieve.
These materials will provide you a further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Sep 10, 2020