Using risks instead of threats
Assign topic to the user
Risk is different from threat: risk is "an uncertain event or condition that, if it occurs, has an effect on at least one objective", while threat is "potential cause of an unwanted incident, which may result in harm to a system or organization". So for instance, the threat is a computer virus, and the risk is the loss of all the information on your computer.
It is true that ISO 27001:2013 does not require the identification of threats any more, but this is in my opinion still the best methodology - read more here: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Jan 12, 2016