Expert Advice Community

Guest

Vulnerabilities

  Quote
Guest
Guest user Created:   Jul 29, 2020 Last commented:   Jul 29, 2020

Vulnerabilities

Hello Advisera Team,

I have a question about Vulnerabilities in Risk assessment in ISO 27001: is it something which already has place, or something which could potentially happen in the future?

I mean, in your example below, if we have UPS, fire extinguisher, and fire protection, are all those risks not relevant for us? So we don’t enter them in our Risk Assessment Table?

https://i.imgur.com/5JLEMo8.png

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 29, 2020

When performing risk assessment you need to consider both situations: vulnerabilities you know are already in place, and vulnerabilities that can happen in the future, provided they are relevant to the scope of your ISMS.

In case you have UPS, fire extinguisher, and fire protection, what happens is that the impact and/or likelihood value will be smaller and the risks may become acceptable, but if they are relevant to your context, you need to keep them in the risk assessment, so you can keep track of them, because in case you do not keep them in the risk assessment and the situation changes, the risks may rise to unacceptable levels and you will not know it.

This article will provide you a further explanation about estimating risks:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 29, 2020

Jul 29, 2020