Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Which comes first in risk assessment: threat or asset?

We are a small organization say 100 employees or even less. For risk assessment purpose, I chose the threat and then thought about which assets would get affected, and then the vulnerabilities were identified. However, in the toolkit you advise to select the asset then the threats and then map vulnerabilities. Is my approach correct or should i rework this activity.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

ISO 27001 does not prescribe any method for risk assessment, which means your method is acceptable and you should use it if you feel comfortable with it.

However, with such approach you might miss some very specific threats related to some "smaller" assets, which could bring higher risks - for example, smart phones.

Therefore, you could perhaps choose this method: first list all the threats you can think of and include them in the catalog in the Risk assessment table; once this is finished you can start listing all the assets and connect related threats and vulnerabilities with those assets.

This article can also help you: ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community