In performing my risk assessment using your toolkits methodology, how do I go about identifying organization risks such as lack of security incident policy or change management process or not classifying confidentiality levels of documents, when I am using an asset based approach?
Answer:
In the asset-based methodology it is possible to relate each of the vulnerabilities you have mentioned to particular assets. So for instance, lack of security incident policy can be related to your internal network, databases, software, etc.
Anyway, to identify organization risks, first you need to identify threats/vulnerabilities related to assets (in our methodology you can calculate risks based on the consequences and likelihood of threats/vulnerabilities), here you can see an example Catalogue of threats & vulnerabilities : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Have you seen our methodology? Here you can see a free version clicking on Free Demo tab Risk Assessment and Risk Treatment Methodology : http:/ /advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
Finally, this article can be also interesting for you ISO 27001 risk assessment: How to match assets, threats and vulnerabilities : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Jan 12, 2016