Risk Statements
Assign topic to the user
Please note that vulnerabilities are weaknesses related to an asset and they do not cause threats, they are exploited by them. Considering that, your proposed structure should be:
Threat (that has an effect on vulnerabilities) exploits a vulnerability, resulting in a business consequence.
Considering an asset-threat-vulnerability approach, your statement would be:
"Information system's" (asset) "breach of maintainability" (threat) due to "insufficient maintenance installation of storage media" (vulnerability). This may lead to XWY (consequence).
This article will provide you a further explanation about risk statement:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
These materials will also help you regarding risk statement:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Jun 25, 2020