Expert Advice Community

Guest

Using CVSS as Risk Management Methodology for ISO 27001

  Quote
Guest
Guest user Created:   Jul 27, 2022 Last commented:   Jul 29, 2022

Using CVSS as Risk Management Methodology for ISO 27001

Is it possible to use CVSS as Risk Assessment Methodology and still be compliant with ISO 27001? How do we map LIKELIHOOD and IMPACT using CVSS? Thanks.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 27, 2022

I’m assuming that by CVSS you mean Common Vulnerability Scoring System.

Considering that, CVSS cannot be used as a Risk Assessment Methodology for ISO 27001, because it is a framework for communicating the characteristics and severity of software vulnerabilities (based on three metric groups: Base, Temporal, and Environmental), which does not work with the concepts of likelihood and impact, required by the standard (clause 6.1.2 “d”).

The common uses of CVSS are for calculating the severity of the system’s vulnerabilities and for prioritizing vulnerability remediation activities.  

These articles will provide you with further explanation about risk assessment and treatment:

  • 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
  • Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
  • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
  • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Quote
0 1
Guest
JhuArt Dizon Jul 28, 2022

Hi Rhand, 

Thank you for your input.

I happened to see this paper entitled A Quantitative CVSS-Based Cyber Security Risk Assessment Methodology For IT Systems by Aksu et al: where they actually calculated Likelihood (or Probability) and Impact using CVSS metrics:
https://cydecsys.com.tr/uploads/docs/1562668627_riskanalysiscarnahan2017.pdf

Let me know your thoughts on this.

Quote
0 0
Expert
Rhand Leal Jul 29, 2022

The proposed way to handle likelihood and impact in the paper sounds good, and would be acceptable to fulfill the standard’s requirements for risk assessment, although it is a bit complex when compared with other risk assessment approaches, like the asset-threat-vulnerability approach commonly adopted for ISO 27001 ISMS.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jul 27, 2022

Jul 29, 2022

Suggested Topics