Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Guest

Using CVSS as Risk Management Methodology for ISO 27001

  Quote
Guest
Guest user Created:   Jul 27, 2022 Last commented:   Jul 29, 2022

Using CVSS as Risk Management Methodology for ISO 27001

Is it possible to use CVSS as Risk Assessment Methodology and still be compliant with ISO 27001? How do we map LIKELIHOOD and IMPACT using CVSS? Thanks.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 27, 2022

I’m assuming that by CVSS you mean Common Vulnerability Scoring System.

Considering that, CVSS cannot be used as a Risk Assessment Methodology for ISO 27001, because it is a framework for communicating the characteristics and severity of software vulnerabilities (based on three metric groups: Base, Temporal, and Environmental), which does not work with the concepts of likelihood and impact, required by the standard (clause 6.1.2 “d”).

The common uses of CVSS are for calculating the severity of the system’s vulnerabilities and for prioritizing vulnerability remediation activities.  

These articles will provide you with further explanation about risk assessment and treatment:

Quote
0 1
Guest
JhuArt Dizon Jul 28, 2022

Hi Rhand, 

Thank you for your input.

I happened to see this paper entitled A Quantitative CVSS-Based Cyber Security Risk Assessment Methodology For IT Systems by Aksu et al: where they actually calculated Likelihood (or Probability) and Impact using CVSS metrics:
https://cydecsys.com.tr/uploads/docs/1562668627_riskanalysiscarnahan2017.pdf

Let me know your thoughts on this.

Quote
0 0
Expert
Rhand Leal Jul 29, 2022

The proposed way to handle likelihood and impact in the paper sounds good, and would be acceptable to fulfill the standard’s requirements for risk assessment, although it is a bit complex when compared with other risk assessment approaches, like the asset-threat-vulnerability approach commonly adopted for ISO 27001 ISMS.

Quote
0 2

Comment as guest or Sign in

HTML tags are not allowed

Jul 27, 2022

Jul 29, 2022

Suggested Topics

Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan

Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits