Risk Assessment Method
Can I use the CIS RAM as my Risk Assessment Method for implementing the ISO 27001:2013? I feel very comfortable using that method but need to know if it is appropriate to use it with the ISO 27001. Or the best scenario is to use the ISO 27005:2018?
Assign topic to the user
Generally speaking, a risk assessment methodology compliant with ISO 27001 has these 5 elements:
- risk identification
- risk owner
- likelihood
- impact
- risk level.
Provided CIS CRAM can fulfill these requirements, it can be used in an ISO 27001 context.
We are not experts in CIS RAM, but based on the material provided in the Center for Internet Security (https://www.cisecurity.org/white-papers/cis-ram-risk-assessment-method/), this methodology seems too complex for beginners (please note that risk assessment is more useful when everyone in an organization can use it by themselves in a quick way, not depending upon few persons).
To see a risk assessment methodology compliant with ISO 27001 that we consider simple to learn and use, please access this free demo template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
These articles will provide information about risk management in ISO 27001:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Feb 16, 2021