it is regarding the ISO 27001 certification. The company I work for would like certified against the ISO 27001. So I need to write a risk assessment methodology. And it is been a while since I have done this.. the question lies on the business impact analysis. according to the website I only likelihood en impact assessment I don't see CIA ratings. But I think it is because the website refers to ISO 31000 and I am using 27005. 27005 does say something about asset valuation when you identify your assets. Based on my education I only know the method to classify CIA ratings against a process not an individual asset.The question is more like if you identify your assets that are supporting a specific business process, and threat and vulnerabilities and you don't use a BIA, but you go straight to assess the likelihood and impact just by saying it is low medium high then you don't use the iso 27005 standard if I am correct?
Here are the answers:
1) The business impact analysis is not required by ISO 27001, and our recommendation is not to do it as part of information security risk management because it would complicate things unnecessarily.
2) The ratings for confidentiality, integrity and availability are not required by ISO 27001, however the standard requires you to take them into account when determining the impact - in other words, you should assess the level of impact as one measure that should take into account the impact of these three elements. Of course, if you want your risk assessment to be more detailed, then you can assess C-I-A separately, and take the highest value as the impact.
3) Asset valuation is not required if you assess the impact.
4) Using ISO 27005 is not mandatory according to ISO 27001, however ISO 27005 does allow you to use very simple assessment scales like low, medium and high.
I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk mannagement methodology. What steps are mandatory, and what is optional? Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?
I want to prepare for an ISO 27001 certification and decide to use the ISO 27005 risk management methodology. What steps are mandatory, and what is optional?
First is important to note that ISO 27005 is not a methodology, but a general framework for information security risk management.
It differs from ISO 27001 in the fact that ISO 27005 provides not only steps for the risk management process (e.g., risk assessment, risk evaluation, risk treatment, etc.), but options regarding on how to perform each step (e.g., qualitative or quantitative approach risk assessment). A specific set of options to perform the steps would be a methodology, so from ISO 27005, you can develop several different methodologies to perform the same steps.
Considering that, if by steps you talk about parts of the process, then all steps of ISO 27005 are required by ISO 27001. If by steps you refer on how to execute the process, you are free to choose between the approaches provided by ISO 27005 the options that better suits you, because ISO 27001 does not prescribe how to perform them.
Can I focus on asset impact instead of asset valuation when using ISO 27005 as the basis?
Considering the previous answer, you can use asset impact instead of asset valuation when performing risk assessment for ISO 27001 using the ISO 27005 framework