Risk assessment approaches

1- Which is the best approach to be used during risk assessment between Asset based and Processed approach?

Answer: First it is important to understand that ISO 27001 does not prescribe an approach to perform risk assessment, so you can choose the approach that better suits your needs.

Asset-based risk assessment is easier to perform, while the process-based risk assessment can provide you a more understandable context to identify and evaluate risks.

These materials will provide you further explanation about risk assessment approaches:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2 - At what Stage do you determine residual risk and how best can it be done?

Answer: You determine residual risk after the definition of the risk treatment option and controls to be implemented (definition of the risk treatment plan).

These materials will provide you further explanation about residual risk:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/