Which comes first in risk assessment: threat or asset?
Assign topic to the user
ISO 27001 does not prescribe any method for risk assessment, which means your method is acceptable and you should use it if you feel comfortable with it.
However, with such approach you might miss some very specific threats related to some "smaller" assets, which could bring higher risks - for example, smart phones.
Therefore, you could perhaps choose this method: first list all the threats you can think of and include them in the catalog in the Risk assessment table; once this is finished you can start listing all the assets and connect related threats and vulnerabilities with those assets.
This article can also help you: ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Jan 12, 2016