Assign topic to the user
ISO 27001 does not specify a method to perform risk assessment, so you can adopt the method that best fulfills your needs.
When using a methodology that uses assets, threats, and vulnerabilities, you can assess assets as a group if they share common threats and vulnerabilities, assessing individual assets only if they have specific threats and vulnerabilities.
For example, if desktop applications 1 to 4 are used by the HR team and share similar threats and vulnerabilities, they can be assessed as a single asset, let’s say, called HR desktop applications.
These articles will provide you a further explanation about risk assessment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Oct 21, 2021