Risk assessment
Where do you assess your assets relating to confidentiality, sensitivity and integrity principle? And how do I incorporate this in the Risk assessment? In other words, should an asset have a high rating in sensitivity, how does it affect the impact?
Assign topic to the user
Please note that for ISO 27001 risk assessment confidentiality and integrity, alongside availability, are related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. So, sensitivity is not related to risk assessment.
Considering that, when using an asset-based approach for risk assessment, you need to consider the loss of confidentiality, integrity, and availability to identify risks and impacts, not sensitivity.
Sensitivity is a concept related only to control A.8.2.1 – Information Classification (alongside legal requirements, value, and criticality).
Only when results of risk assessment, or applicable legal requirements, define control A.8.2.1 as applicable is that you need to classify information regarding sensitivity, due to unauthorized disclosure (i.e., loss of confidentiality) or modification (i.e., loss of integrity).
In other words, the impact in risk assessment affects sensitivity rating, not the other way around (the greater the impacts due to loss of confidentiality or integrity, the greater should be the sensitivity rating, to ensure proper controls are implemented to protect the information).
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Mar 18, 2021