Expert Advice Community

Guest

Risk Assessment Table

  Quote
Guest
Guest user Created:   Feb 26, 2016 Last commented:   Feb 26, 2016

Risk Assessment Table

I have a question about the Risk Assessment Table. In the Risk Assessment Table video, you mention merging the results of the assessments from various asset owners. Should the Risk Assessment Table list each item separately (e.g. "John's laptop", "Tom's laptop", "Eric's laptop"), or merge them into a single asset type (e.g. "Employee Laptops")?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Feb 26, 2016

You can merge them into a single asset type - as you mentioned "Employee laptops".

In the video, you also mention that in the merge process, we should choose the highest overall score for each asset listed if there is overlap from many independent assessments done by independent asset owners. This conflicts with my original intuition: If an asset has multiple vulnerabilities, I originally assumed we should include the same asset multiple (potentially many) times in the Risk Assessment table, not just the highest.

You should include all the threats and vulnerabilities related to these assets that are merged, however for the level of impact and level of likelihood you should take the highest score from all the asset owners - this way you won't lose any information, and you will be aware of the worst case scenario.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 26, 2016

Feb 26, 2016

Suggested Topics