Risk assessment reference

1. There is a question that the external auditor of ISO 27001 asked me, what is the reference or basis used for the risk assessment methodology that you have in your table? See point 3 of the attached document.

First is important to note that ISO 27001 does not prescribe any risk assessment methodology, so organizations can adopt any methodology they see fit for their needs or create their own, provided it fulfills requirements from clause 6.1.2 – information security risk assessment.

Considering that, the asset-threat-vulnerability approach used in our template follows the guidelines from ISO 27005, the ISO standard for information security risk management.

This article will provide you a further explanation risk assessment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

2. Another question, do you know where I can buy the ISO 27001: 2013 standard in Spanish?

You can buy a Spanish version of ISO 27001 at Aenor site: https://www.aenor.com/normas-y-libros/buscador-de-normas/une/?c=N0058428