Using CVSS as Risk Management Methodology for ISO 27001

I’m assuming that by CVSS you mean Common Vulnerability Scoring System.

Considering that, CVSS cannot be used as a Risk Assessment Methodology for ISO 27001, because it is a framework for communicating the characteristics and severity of software vulnerabilities (based on three metric groups: Base, Temporal, and Environmental), which does not work with the concepts of likelihood and impact, required by the standard (clause 6.1.2 “d”).

The common uses of CVSS are for calculating the severity of the system’s vulnerabilities and for prioritizing vulnerability remediation activities.  

These articles will provide you with further explanation about risk assessment and treatment:

• 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
• Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Hi Rhand, 

Thank you for your input.

I happened to see this paper entitled A Quantitative CVSS-Based Cyber Security Risk Assessment Methodology For IT Systems by Aksu et al: where they actually calculated Likelihood (or Probability) and Impact using CVSS metrics:
https://cydecsys.com.tr/uploads/docs/1562668627_riskanalysiscarnahan2017.pdf

Let me know your thoughts on this.

The proposed way to handle likelihood and impact in the paper sounds good, and would be acceptable to fulfill the standard’s requirements for risk assessment, although it is a bit complex when compared with other risk assessment approaches, like the asset-threat-vulnerability approach commonly adopted for ISO 27001 ISMS.