Risk Assessment Registry - ISO 27001

Kipp_Szeth

Registered
Hi All,

We have an upcoming ISO 27001 Surveillance and Certification Audit on December 2017 and I want to get clarity on what is the correct way of doing it for Asset-Based and Context-Based Risk Assessment.

I want to pound more on Context-Based Risk Assessment as I am confused on How and What's the correct way of doing it and how to treat it per process.

I work on a BPO set-up and all your inputs are greatly appreciated. Samples would be great, too!


Thank you very much!
 

Marc

Fully vaccinated are you?
Leader
A quick "Bump". My Thanks in advance for help with this one. I know it's a niche topic.
 

Kipp_Szeth

Registered
Hi @Richard,

basically it is defining the Internal and External parameters or factors that affect or may affect the process and/or organizational objectives.

Hope this helps!

Thank you!
 

Richard Regalado

Trusted Information Resource
And you want to "link" that to you IS risk assessment?

If the context-based assessment confuses you, why not stick with the asset-based assessment? If you are comfortable with that, why fix something that ain't broken? There are strengths associated with an asset-based risk assessment. It is more thorough and easily identifies all information assets and supporting medium.

Richard
 
Y

yashodhansawant

This may be a late reply, but can't help. I rejoined this forum today itself!!!

Basically, the ISO 27001:2013 standard does not talk about 'Asset Based' risk assessment though you may still consider continuing with one. The standards through its clause no. 6.1.1 needs an organization to determine 'risks and opportunities' considering the context of the organization, i.e. external and internal issues, needs and expectations of the interested parties. The standard is not explicit about where exactly to look for risks and opportunities. Now, what an organization can do is to look around the issues and interested parties. All these would point to the products / services, processes, locations, assets, people of the organization.

So, 'assets' will be one of the objects beings assessed for risks and opportunities.
 

poh.s.lim

Poh S. Lim (Minuteman MMXXIII)
This may be a late reply, but can't help. I rejoined this forum today itself!!!

Basically, the ISO 27001:2013 standard does not talk about 'Asset Based' risk assessment though you may still consider continuing with one. The standards through its clause no. 6.1.1 needs an organization to determine 'risks and opportunities' considering the context of the organization, i.e. external and internal issues, needs and expectations of the interested parties. The standard is not explicit about where exactly to look for risks and opportunities. Now, what an organization can do is to look around the issues and interested parties. All these would point to the products / services, processes, locations, assets, people of the organization.

So, 'assets' will be one of the objects beings assessed for risks and opportunities.
IMHO, IS assets are resources that need protection from any form of disruption. The more critical the asset is, the greater the need to protect the asset. Using asset-based approach is one way to approach it, but I feel that context-based assessment is necessary to give a 'big-picture' to how it should be prioritized. Context-based assessment has the ability to determine just how critical the asset is. Does this make sense?
 
Y

yashodhansawant

Just to highlight - The 'context' of the organization includes 'information systems' amongst other things. Reproducing the text from ISO 27000:2016 for a quick reference to what this context may include -

2.42
internal context
internal environment in which the organization (2.57) seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
Note 1 to entry: Internal context can include the following:
— governance, organizational structure, roles and accountabilities;
— policies (2.60), objectives (2.56), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (2.61),
systems and technologies);
— information systems (2.39), information flows and decision-making processes (2.61) (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (2.82);
— the organization’s (2.57) culture;
— standards, guidelines and models adopted by the organization (2.57);
— form and extent of contractual relationships.

2.27
external context
external environment in which the organization seeks to achieve its objectives (2.56)
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives (2.56) of the organization (2.57);
— relationships with, and perceptions and values of, external stakeholders (2.82).
 

Richard Regalado

Trusted Information Resource
Information: JumboKing Burger recipe
Risk: The recipe could be stolen because there is no formal document control being practiced
Impact: High
Probability: High
Risk treatment: Write and implement a formal document management system
 
Top Bottom