Risk Assessment Methodology
Assign topic to the user
Antoin,
Here are the answers:
1) Yes, this is a classic approach to risk assessment methodology, completely acceptable by ISO 27001; additionally you need to identify the risk owners as well. See also this article: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
2) ISO 27001 does not require you to separate assessments for impact on confidentiality, integrity and availability (in such case the highest value is your impact) - however you can separate them if you want your assessment to be more precise. Usually financial institutions are doing this more detailed approach to risk assessment.
Comment as guest or Sign in
Jan 12, 2016