Risk Management Questions
We received this question:
Me pueden ayudar con la siguientes Preguntas
1. Qué tanto nivel de detalle es necesario en el proceso de identificación y análisis de Riesgos de los activos de Información?, ya que por cada activo se podrían formular muchos riesgos.
2. se puede agrupar activos para hacerles el análisis de riesgos? tenemos muchos servidores con características similares y con posiblemente el mismo nivel de exposición a las mismas amenazas. Qué consideraciones se deben tener en cuenta para agrupar activos para facilitar el análisis de riesgos?
3. Existe un catálogo de Amenazas predefinidos y/O recomendado que se pueda tomar como base para el análisis de los riesgos?
4. Existe un catálogo de Vulnerabilidades predefinidas y/O recomendadas que se pueda tomar como base para el análisis de los riesgos?
5. Existe un catálogo de Controles recomendados que se pueda tomar como base para plantear los controles ideales para el tratamiento de los riesgos identificados?
Assign topic to the user
Can you help me with the following questions
1. How much level of detail is necessary in the process of identification and analysis of Risks of Information assets?, since many risks could be formulated for each asset.
ISO 27001 does not prescribe a level of details for identification and analysis of risks, so you can adopt the level of detail you understand that will provide confidence that you assessed the most relevant risks.
This means that for some assets 1 or 2 risks may be enough, but for others, you may understand that a greater number of risks needs to be considered.
To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 30 to 60 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 180 to 360 risks.
For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2. Can assets be grouped for risk analysis? we have many servers with similar characteristics and possibly the same level of exposure to the same threats. What considerations should be taken into account to group assets to facilitate risk analysis?
ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are similar (in your case, the servers). As a consideration point, you should group assets also considering the asset owner, and other parameters that can make it easier to handle them (e.g., servers that are in the same location).
This article will provide you with further explanation:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3. Is there a catalog of predefined and/or recommended Threats that can be used as a basis for risk analysis?
In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Threats” with a catalog of suggested threats.
4. Is there a catalog of predefined and/or recommended vulnerabilities that can be used as a basis for risk analysis?
In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Vulnerabilities” with a catalog of suggested vulnerabilities.
5. Is there a catalog of recommended controls that can be used as a basis to propose the ideal controls for the treatment of identified risks?
In the Risk Treatment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Controls” with the catalog of controls defined in ISO 27001 Annex A.
These controls are used in the Risk Treatment tab in the column K “Means of implementation”.
For further information, see:
Comment as guest or Sign in
Aug 02, 2022