Guest user Created: Apr 15, 2019 Last commented: Apr 15, 2019

Risk assessment for ISMS and BCMS

I am ISMS at XXX and really want to express my appreciation for Advisera services. I really like the ISO27k related books and articles. My colleague, XXX is the DRP Manager at XXX, he has also acquired your book on business continuity. We both are using the methodologies you are suggesting but we do not meet in the middle for some reason and I assume the following: the RA methodology and the RA Matrix has two axes from 1-5 (we use the formula IxL=R; but the BIA Matrix has the axes from 1-4 and I assume that there is the problem. Can you please advise?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Apr 15, 2019

Answer:

Since BIA relates Impact over Time, and RA relates Impact and Likelihood, I'm assuming by your statement that the RA process used for BIA is using a 1-4 scale, and on the RA for the ISMS you are using the 1-5 scale. Considering that, you have two options to consider to have comparable results:

1 - Adopt a single scale for RA process used both for BIA and the ISMS

2 - Uses a constant to convert the risk value used on BIA to ISMS and vice versa

Considering the second alternative, for each risk value found using the scale 1-5 you must multiply it by .8 to find its equivalent risk value when using the 1-4 scale. For the reverse path (i.e., converting the value from 1-4 scale to 1-5 scale), the constant to be used is 1.25.

This article can provide you further information regarding risk assessment and business impact analysis:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Apr 15, 2019

Expert Advice Community