Assign topic to the user
The key difference is that, while in the asset-threat-vulnerability assessment you start by identifying the elements that lead to a risk, in the scenario-based assessment you start with risk situation and then go for the elements that can lead to such risk.
The main advantage of scenario-based assessment is that users are more prone to identify risk situations than elements that lead to them. This leads to quicker risk identification. The drawback is that elements that can lead to the same risk are missed and the risk identification becomes incomplete, leading to a false sense of safety (this situation is prevented by using asset-threat-vulnerability assessment, but it takes longer to identify relevant risk because you have to try several different combinations of assets).
A good approach would be to start with scenario-based assessment to identify some relevant assets, threats, and vulnerabilities, and after that expand this list of elements and work on them to try to identify new risks.
This article will provide you further explanation about risk identification:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
This material will also help you regarding information security risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Apr 05, 2022