Expert Advice Community

Guest

Risk assessment

  Quote
Guest
Guest user Created:   Mar 18, 2021 Last commented:   Mar 18, 2021

Risk assessment

Where do you assess your assets relating to confidentiality, sensitivity and integrity principle? And how do I incorporate this in the Risk assessment? In other words, should an asset have a high rating in sensitivity, how does it affect the impact?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 18, 2021

Please note that for ISO 27001 risk assessment confidentiality and integrity, alongside availability, are related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. So, sensitivity is not related to risk assessment.

Considering that, when using an asset-based approach for risk assessment, you need to consider the loss of confidentiality, integrity, and availability to identify risks and impacts, not sensitivity.

Sensitivity is a concept related only to control A.8.2.1 – Information Classification (alongside legal requirements, value, and criticality).

Only when results of risk assessment, or applicable legal requirements, define control A.8.2.1 as applicable is that you need to classify information regarding sensitivity, due to unauthorized disclosure (i.e., loss of confidentiality) or modification (i.e., loss of integrity).

In other words, the impact in risk assessment affects sensitivity rating, not the other way around (the greater the impacts due to loss of confidentiality or integrity, the greater should be the sensitivity rating, to ensure proper controls are implemented to protect the information).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 18, 2021

Mar 18, 2021