Vulnerabilities
Hello Advisera Team,
I have a question about Vulnerabilities in Risk assessment in ISO 27001: is it something which already has place, or something which could potentially happen in the future?
I mean, in your example below, if we have UPS, fire extinguisher, and fire protection, are all those risks not relevant for us? So we don’t enter them in our Risk Assessment Table?
Assign topic to the user
When performing risk assessment you need to consider both situations: vulnerabilities you know are already in place, and vulnerabilities that can happen in the future, provided they are relevant to the scope of your ISMS.
In case you have UPS, fire extinguisher, and fire protection, what happens is that the impact and/or likelihood value will be smaller and the risks may become acceptable, but if they are relevant to your context, you need to keep them in the risk assessment, so you can keep track of them, because in case you do not keep them in the risk assessment and the situation changes, the risks may rise to unacceptable levels and you will not know it.
This article will provide you a further explanation about estimating risks:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Jul 29, 2020