Risk Management Questions

Can you help me with the following questions

1. How much level of detail is necessary in the process of identification and analysis of Risks of Information assets?, since many risks could be formulated for each asset.

ISO 27001 does not prescribe a level of details for identification and analysis of risks, so you can adopt the level of detail you understand that will provide confidence that you assessed the most relevant risks.

This means that for some assets 1 or 2 risks may be enough, but for others, you may understand that a greater number of risks needs to be considered.

To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 30 to 60 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 180 to 360 risks.

For further information, see:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

2. Can assets be grouped for risk analysis? we have many servers with similar characteristics and possibly the same level of exposure to the same threats. What considerations should be taken into account to group assets to facilitate risk analysis?

ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are similar (in your case, the servers). As a consideration point, you should group assets also considering the asset owner, and other parameters that can make it easier to handle them (e.g., servers that are in the same location).

This article will provide you with further explanation:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

3. Is there a catalog of predefined and/or recommended Threats that can be used as a basis for risk analysis?

In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Threats” with a catalog of suggested threats.

4. Is there a catalog of predefined and/or recommended vulnerabilities that can be used as a basis for risk analysis?

In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Vulnerabilities” with a catalog of suggested vulnerabilities.

5. Is there a catalog of recommended controls that can be used as a basis to propose the ideal controls for the treatment of identified risks?

In the Risk Treatment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Controls” with the catalog of controls defined in ISO 27001 Annex A.

These controls are used in the Risk Treatment tab in the column K “Means of implementation”.

For further information, see:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment