Expert Advice Community

Guest

Risk management according to ISO 27001, ISO 27005 and ISO 31000

  Quote
Guest
Guest user Created:   Apr 11, 2018 Last commented:   Mar 27, 2020

Risk management according to ISO 27001, ISO 27005 and ISO 31000

it is regarding the ISO 27001 certification. The company I work for would like certified against the ISO 27001. So I need to write a risk assessment methodology. And it is been a while since I have done this.. the question lies on the business impact analysis. according to the website I only likelihood en impact assessment I don't see CIA ratings. But I think it is because the website refers to ISO 31000 and I am using 27005. 27005 does say something about asset valuation when you identify your assets. Based on my education I only know the method to classify CIA ratings against a process not an individual asset.The question is more like if you identify your assets that are supporting a specific business process, and threat and vulnerabilities and you don't use a BIA, but you go straight to assess the likelihood and impact just by saying it is low medium high then you don't use the iso 27005 standard if I am correct?
0 2

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Apr 11, 2018

Here are the answers:
1) The business impact analysis is not required by ISO 27001, and our recommendation is not to do it as part of information security risk management because it would complicate things unnecessarily.
2) The ratings for confidentiality, integrity and availability are not required by ISO 27001, however the standard requires you to take them into account when determining the impact - in other words, you should assess the level of impact as one measure that should take into account the impact of these three elements. Of course, if you want your risk assessment to be more detailed, then you can assess C-I-A separately, and take the highest value as the impact.
3) Asset valuation is not required if you assess the impact.
4) Using ISO 27005 is not mandatory according to ISO 27001, however ISO 27005 does allow you to use very simple assessment scales like low, medium and high.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Quote
0 0
Guest
Peter Mar 25, 2020

Let me rephrase the task at hand:

I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk mannagement methodology. What steps are mandatory, and what is optional? Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?

Quote
0 0
Expert
Rhand Leal Mar 27, 2020

I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk management methodology. What steps are mandatory, and what is optional?

First is important to note that ISO 27005 is not a methodology, but a general framework for information security risk management.

It differs from ISO 27001 in the fact that ISO 27005 provides not only steps for the risk management process (e.g., risk assessment, risk evaluation, risk treatment, etc.), but options regarding on how to perform each step (e.g., qualitative or quantitative approach risk assessment). A specific set of options to perform the steps would be a methodology, so from ISO 27005, you can develop several different methodologies to perform the same steps.

Considering that, if by steps you talk about parts of the process, then all steps of ISO 27005 are required by ISO 27001. If by steps you refer on how to execute the process, you are free to choose between the approaches provided by ISO 27005 the options that better suits you, because ISO 27001 does not prescribe how to perform them.

Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?

Considering the previous answer, you can use asset impact instead of asset valuation when performing risk assessment for ISO 27001 using the ISO 27005 framework

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Apr 11, 2018

Mar 27, 2020

Suggested Topics