Risk management according to ISO 27001, ISO 27005 and ISO 31000
Assign topic to the user
Here are the answers:
1) The business impact analysis is not required by ISO 27001, and our recommendation is not to do it as part of information security risk management because it would complicate things unnecessarily.
2) The ratings for confidentiality, integrity and availability are not required by ISO 27001, however the standard requires you to take them into account when determining the impact - in other words, you should assess the level of impact as one measure that should take into account the impact of these three elements. Of course, if you want your risk assessment to be more detailed, then you can assess C-I-A separately, and take the highest value as the impact.
3) Asset valuation is not required if you assess the impact.
4) Using ISO 27005 is not mandatory according to ISO 27001, however ISO 27005 does allow you to use very simple assessment scales like low, medium and high.
These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Let me rephrase the task at hand:
I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk mannagement methodology. What steps are mandatory, and what is optional? Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?
I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk management methodology. What steps are mandatory, and what is optional?
First is important to note that ISO 27005 is not a methodology, but a general framework for information security risk management.
It differs from ISO 27001 in the fact that ISO 27005 provides not only steps for the risk management process (e.g., risk assessment, risk evaluation, risk treatment, etc.), but options regarding on how to perform each step (e.g., qualitative or quantitative approach risk assessment). A specific set of options to perform the steps would be a methodology, so from ISO 27005, you can develop several different methodologies to perform the same steps.
Considering that, if by steps you talk about parts of the process, then all steps of ISO 27005 are required by ISO 27001. If by steps you refer on how to execute the process, you are free to choose between the approaches provided by ISO 27005 the options that better suits you, because ISO 27001 does not prescribe how to perform them.
Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?
Considering the previous answer, you can use asset impact instead of asset valuation when performing risk assessment for ISO 27001 using the ISO 27005 framework
Comment as guest or Sign in
Mar 27, 2020