Risk Assessment Table

For ISO 27001, first, it is important to understand how compromised quality of work can compromise information security (i.e., it impacts information confidentiality, integrity and/or availability). From that understanding, you can evaluate if it can be considered for risk assessment and how.

Since we do not know what quality of work means for you (i.e., how it can be measured), it is not possible to give you an example related to your scenario, but here is an example considering social engineering (exploiting human psychology to compromise information) as a threat:

• the employee may be lured to reveal his/her password (compromising confidentiality)
• the employee may be lured to "update" a customer record (compromising integrity)
• the employee may be lured to shut down an application (compromising availability)

This article will provide you a further explanation about matching assets, threats, and vulnerabilities:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Thank you for the response.  We are struggling with understanding the ISO 27001 as it relates to production cause/effect and security cause/effect.  Here is where our lack of understanding comes in.

At our secured Date Entry facility, we suffer from daily loss of utility power.  Our operation does not serve any data.  Our operators reside in our facility and process data on secured remote servers in our customer's locations.  We store no data at our facility.  When we lose power our security lights go out and our security doors unlock.  This will compromise the security of our facility.  Loss of power also affects our operation as we can no longer process data. 

We mitigate the security vulnerabilities of power loss with UPSs and generators. We plan on including this in our ISO27001 as how we mitigate power loss.  

Here is my question. Do we address how the UPS and generators affect our production by keeping us operational, or is this a production issue that has nothing to do with security as defined by ISO27001?

Please note that ISO 27001 objective is the protection of information, regardless of its format and where it is.

Considering that, you need to evaluate your situation not by what you do, but by how it impacts the information you want to protect (in this case I'm assuming it is the data you access remotely).

In your stated scenario, the loss of utility power may impact availability of processed information in the following ways:
- an unauthorized person may have access to your facility an damage the equipment you use to remotely process data, so when utility power is back you cannot resume the work.
- during the power loss, you cannot provide processed information

In these cases, you need to consider how the UPS and generators affect your operational capacity to maintain the remote process of information. Basically, all these risks are actually related to availability of information, which is part of the C-I-A triad