Expert Advice Community

Guest

Risk Statements

  Quote
Guest
Guest user Created:   Jun 25, 2020 Last commented:   Jun 25, 2020

Risk Statements

Hereby a question on how to write good risk statements using the known ISO risk component from 27005, Annex D (Threat, Vulnerability).
Various articles (e.g. ISACA) highlight a risk statement on the formula:

[Event that has an effect on objectives] caused by [cause/s] resulting in [consequence/s].

Can that in the ISO world be translated into:
Threat (that has an effect on objectives) caused by a vulnerability resulting in a business consequence. So taking 27005, Annex D, the first row in the table, the Risk Statement will be: There is a risk of "breach of information system maintainability" due to "insufficient maintenance installation of storage media." This may lead to XWY.

Or is it the other way round. That the risk is the "vulnerability"???

0 0

Assign topic to the user

Assign

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 25, 2020

Please note that vulnerabilities are weaknesses related to an asset and they do not cause threats, they are exploited by them. Considering that, your proposed structure should be:

Threat (that has an effect on vulnerabilities) exploits a vulnerability, resulting in a business consequence.

Considering an asset-threat-vulnerability approach, your statement would be:

"Information system's" (asset) "breach of maintainability" (threat) due to "insufficient maintenance installation of storage media" (vulnerability). This may lead to XWY (consequence).

This article will provide you a further explanation about risk statement:

These materials will also help you regarding risk statement:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 25, 2020

Jun 25, 2020

Suggested Topics

Guest user Created:   Sep 09, 2019 ISO 27001 & 22301
Replies: 1
0 0

Filling SoA justification

Guest user Created:   Dec 03, 2016 ISO 27001 & 22301
Replies: 1
0 0

Audit checklist