Risk management approach
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
My first idea was that it would be very interesting for us to have a well-defined method, which wouldn't depend on people. The asset-vulnerability-threat approach is very intuitive and really easy, but not at all methodological, meaning that it is the opposite to a checklist or a detailed approach and depends much more on a somehow deep knowledge of the business. We need a person-independent method.
So, after having a look around and considering our small size and so on, I´m thinking on both CCM (CSA Star) and specially BSI methods. IT-Grundschutz looks like a good approach as it claims itself to be a complement to ISO standard. The idea is not to get certified on 27001 on the basis of IT-Grundschutz, (at least not for now) but to use it for the practical implementation (the “how”) of the ISMS. But I still need to know which one of the three levels of protection we should aim for at this point, and how to optimize the method to our case. C5 looks out of reach at the moment, and probably unnecessary.
So, I would like to have a clue on what method we could best use in order to have a systematic approach to RA for a small private cloud provider. My main concern is where to focus considering our case. Can you guide me on this please?
Answer:
Since you stated that you are a small private cloud provider, it seems to me you are spending too much effort on defining your RA and RT approach. If you do not have any legal requirement (e.g., contract, law or regulation), demanding the use of an specific or otherwise more elaborated methodology, you should kept it as simple as possible.
Considering your scenario, you could use a mix of qualitative and quantitative approaches. The qualitative approach (based on people perception) will help you quickly identify risks relevant to your organization (elaborating checklists will consume time and effort, and may not cover all possible situations). After that you can perform a quantitative approach (based on probabilities and potential costs) to justify your risks based on how much they may cost you if they occur.
These materials will provide you further explanation about risk management:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 14, 2019