Expert Advice Community

Guest

Risk Management Questions

  Quote
Guest
Guest user Created:   Aug 02, 2022 Last commented:   Aug 02, 2022

Risk Management Questions

We received this question:

Me pueden ayudar con la siguientes Preguntas

1. Qué tanto nivel de detalle es necesario en el proceso de identificación y análisis de Riesgos de los activos de Información?, ya que por cada activo se podrían formular muchos riesgos.

2. se puede agrupar activos para hacerles el análisis de riesgos? tenemos muchos servidores con características similares y con posiblemente el mismo nivel de exposición a  las mismas amenazas.  Qué consideraciones se deben tener en cuenta para agrupar activos para facilitar  el análisis de riesgos?

3. Existe un catálogo de Amenazas predefinidos y/O recomendado que se pueda tomar como base para el análisis de los riesgos?

4. Existe un catálogo de Vulnerabilidades predefinidas y/O recomendadas que se pueda tomar como base para el análisis de los riesgos?

5. Existe un catálogo de Controles recomendados que se pueda tomar como base para plantear los controles ideales para el tratamiento de los riesgos identificados?

 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 02, 2022

Can you help me with the following questions

1. How much level of detail is necessary in the process of identification and analysis of Risks of Information assets?, since many risks could be formulated for each asset.

ISO 27001 does not prescribe a level of details for identification and analysis of risks, so you can adopt the level of detail you understand that will provide confidence that you assessed the most relevant risks.

This means that for some assets 1 or 2 risks may be enough, but for others, you may understand that a greater number of risks needs to be considered.

To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 30 to 60 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 180 to 360 risks.

For further information, see:

2. Can assets be grouped for risk analysis? we have many servers with similar characteristics and possibly the same level of exposure to the same threats. What considerations should be taken into account to group assets to facilitate risk analysis?

ISO 27001:2013 let you free to use any methods you consider proper to assess information security risks as long as they meet clause 6.1.2 (information security risk assessment). So, you can assess a set of assets as a single one to identify and evaluate common risks as long as they are similar (in your case, the servers). As a consideration point, you should group assets also considering the asset owner, and other parameters that can make it easier to handle them (e.g., servers that are in the same location).

This article will provide you with further explanation:

3. Is there a catalog of predefined and/or recommended Threats that can be used as a basis for risk analysis?

In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Threats” with a catalog of suggested threats.

4. Is there a catalog of predefined and/or recommended vulnerabilities that can be used as a basis for risk analysis?

In the Risk Assessment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Vulnerabilities” with a catalog of suggested vulnerabilities.

5. Is there a catalog of recommended controls that can be used as a basis to propose the ideal controls for the treatment of identified risks?

In the Risk Treatment Table template included in your toolkit, in folder 05 Risk Assessment and Risk Treatment, you will find a tab called “Controls” with the catalog of controls defined in ISO 27001 Annex A.

These controls are used in the Risk Treatment tab in the column K “Means of implementation”.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 02, 2022

Aug 02, 2022

Suggested Topics