Guest post Created: Jan 12, 2016 Last commented: Jan 12, 2016

Risk Assessment Methodology

We are in the process of implementing ISO27001 and I am looking at the RA methodology. I have 2 questions. 1. We will likely be defining our RA methodology as the following: - List of Assets What are the vulnerabilities of each asset? What threats could exploit each vulnerability? What is the consequence? What is the likelihood? =Risk Level Does this make sense in the context of 27001? and; 2. In order to protect the C.I.A of information, should we conduct these Risk Assessments for each of confidentiality, integrity and availability? For instance: If our asset is company mobile phones, the vulnerability is asset security, the threat is theft, consequence is unauthorised access to information and likelihood is 1 for example (highly unlikely). Should we conduct separate assessments for the loss of each confidentiality, integrity and availability as theoretically it would affect all 3 in this case, or does the one with the highest risk level suffice?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Antoin,

Here are the answers:

1) Yes, this is a classic approach to risk assessment methodology, completely acceptable by ISO 27001; additionally you need to identify the risk owners as well. See also this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

2) ISO 27001 does not require you to separate assessments for impact on confidentiality, integrity and availability (in such case the highest value is your impact) - however you can separate them if you want your assessment to be more precise. Usually financial institutions are doing this more detailed approach to risk assessment.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community