Expert Advice Community

Guest

Risk Management and "Asset value" & Asset Criticality

  Quote
Guest
Guest user Created:   Sep 07, 2020 Last commented:   Sep 07, 2020

Risk Management and "Asset value" & Asset Criticality

In your booklet "Step-by-step explanation of ISO 27001/ISO 27005 risk management", you use a risk calculation where "asset value" is part of the formula. My questions are: 1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level. 2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process 3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process. 4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?
0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 07, 2020

1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level.

ISO 27001 and ISO 27005 do not prescribe the use of the asset value for risk assessment, so organizations are free to use any approach they see fit to their needs.

For further information, see:

2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process

ISO 27001 requires only that risks are evaluated, so you can either obtain this value as a result of asset valuation, or any other risk management related process or from direct input from the personnel involved in the risk assessment process. Please note that in either case, the responsibility for the value is from the personnel involved in the risk assessment process, but you, as Risk Manager, must ensure the processes are performed in the right way, and with the proper personnel.

3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process.

Criticality analysis is a systemic approach to identify how critical an asset is to the business, to support the evaluation of potential risks, and highlight any business impacts associated with such risks. Considering that, for this approach, you do not need the asset value, but only the identification of the asset itself (in this case, you need to evaluate the impact caused by the lack or failure of the asset).

4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

Since ISO 27005 is a supporting standard for ISO 27001 implementation, we did not develop a book covering this specific standard but used its guidance and recommendations to develop the ISO 27001 Risk Management in Plain English.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 07, 2020

Sep 07, 2020