Risk Assessment Registry - ISO 27001

#1
Hi All,

We have an upcoming ISO 27001 Surveillance and Certification Audit on December 2017 and I want to get clarity on what is the correct way of doing it for Asset-Based and Context-Based Risk Assessment.

I want to pound more on Context-Based Risk Assessment as I am confused on How and What's the correct way of doing it and how to treat it per process.

I work on a BPO set-up and all your inputs are greatly appreciated. Samples would be great, too!


Thank you very much!
 
Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration
Staff member
Admin
#2
A quick "Bump". My Thanks in advance for help with this one. I know it's a niche topic.
 
#5
Hi @Richard,

basically it is defining the Internal and External parameters or factors that affect or may affect the process and/or organizational objectives.

Hope this helps!

Thank you!
 

Richard Regalado

Trusted Information Resource
#6
And you want to "link" that to you IS risk assessment?

If the context-based assessment confuses you, why not stick with the asset-based assessment? If you are comfortable with that, why fix something that ain't broken? There are strengths associated with an asset-based risk assessment. It is more thorough and easily identifies all information assets and supporting medium.

Richard
 

yashodhansawant

Yashodhan Sawant
#7
This may be a late reply, but can't help. I rejoined this forum today itself!!!

Basically, the ISO 27001:2013 standard does not talk about 'Asset Based' risk assessment though you may still consider continuing with one. The standards through its clause no. 6.1.1 needs an organization to determine 'risks and opportunities' considering the context of the organization, i.e. external and internal issues, needs and expectations of the interested parties. The standard is not explicit about where exactly to look for risks and opportunities. Now, what an organization can do is to look around the issues and interested parties. All these would point to the products / services, processes, locations, assets, people of the organization.

So, 'assets' will be one of the objects beings assessed for risks and opportunities.
 

poh.s.lim

Poh S. Lim (Minuteman Resources Pte Ltd)
#8
This may be a late reply, but can't help. I rejoined this forum today itself!!!

Basically, the ISO 27001:2013 standard does not talk about 'Asset Based' risk assessment though you may still consider continuing with one. The standards through its clause no. 6.1.1 needs an organization to determine 'risks and opportunities' considering the context of the organization, i.e. external and internal issues, needs and expectations of the interested parties. The standard is not explicit about where exactly to look for risks and opportunities. Now, what an organization can do is to look around the issues and interested parties. All these would point to the products / services, processes, locations, assets, people of the organization.

So, 'assets' will be one of the objects beings assessed for risks and opportunities.
IMHO, IS assets are resources that need protection from any form of disruption. The more critical the asset is, the greater the need to protect the asset. Using asset-based approach is one way to approach it, but I feel that context-based assessment is necessary to give a 'big-picture' to how it should be prioritized. Context-based assessment has the ability to determine just how critical the asset is. Does this make sense?
 

yashodhansawant

Yashodhan Sawant
#9
Just to highlight - The 'context' of the organization includes 'information systems' amongst other things. Reproducing the text from ISO 27000:2016 for a quick reference to what this context may include -

2.42
internal context
internal environment in which the organization (2.57) seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
Note 1 to entry: Internal context can include the following:
— governance, organizational structure, roles and accountabilities;
— policies (2.60), objectives (2.56), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (2.61),
systems and technologies);
— information systems (2.39), information flows and decision-making processes (2.61) (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (2.82);
— the organization’s (2.57) culture;
— standards, guidelines and models adopted by the organization (2.57);
— form and extent of contractual relationships.

2.27
external context
external environment in which the organization seeks to achieve its objectives (2.56)
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives (2.56) of the organization (2.57);
— relationships with, and perceptions and values of, external stakeholders (2.82).
 
Thread starter Similar threads Forum Replies Date
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
M Informational Final guidance – GUIDELINES on the benefit-risk assessment of the presence of phthalates in certain medical devices covering phthalates which are carc Medical Device and FDA Regulations and Standards News 0
D Risk Assessment Procedure in accordance with ISO 17025:2017 ISO 17025 related Discussions 5
M Informational EU – 12th Meeting of the Working Group on Guidelines on benefit – risk assessment of Phthalates in Medical Devices Medical Device and FDA Regulations and Standards News 0
D Doing both a top-down and a bottom-up risk assessment - How to combine ISO 14971 - Medical Device Risk Management 6
V Sequence of performing risk assessment: User_FMEA (User Errors) vs Design Inputs FMEA and Control Plans 1
chris1price Cleanroom Monitoring Plan - ISO14644-2:2015 - Risk Assessment Other Medical Device Related Standards 3
T IEC 60601-1 - Risk assessment to determine the liquid - 11.6.3 IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
P Looking for Risk Assessment Template - Not necessarily Asset based IEC 27001 - Information Security Management Systems (ISMS) 1
S Can anybody share a sample risk assessment prepared based on ISO 17025:2017? ISO 17025 related Discussions 15
M Informational EU – SCHEER – Minutes of the Working Group meeting on guidelines on the benefit-risk assessment of the presence of phthalates in certain medical devic Medical Device and FDA Regulations and Standards News 1
Q Risk & opportunity assessment - ISO 14001 ISO 14001:2015 Specific Discussions 1
Don Fardie CAPA vs. Risk Assessment - Changing a product material for better performance ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
J Simple supplier evaluation qualification process form that includes Risk Assessment Document Control Systems, Procedures, Forms and Templates 2
M Risk Identification and Risk Assessment for any Process - Is it necessary? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
D Qualitative vs. Quantitative Risk Assessment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
B Process Risk Assessment Example for a Manufacturing Company Quality Tools, Improvement and Analysis 2
A Risk Assessment Technique that fits the Context of the Organization ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Risk Impact - Risk Assessment Sample/Method per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
somashekar How to put in place a Risk Assessment of Vulnerabilities & Corruption... Sustainability, Green Initiatives and Ecology 2
A Preventive Action and Risk Assessment Audit Process Audits and Layered Process Audits 5
A Risk Assessment- What to do? ISO 14971 - Medical Device Risk Management 3
somashekar FDA proposal on Medical Device Accessory Risk Assessment Other US Medical Device Regulations 15
V Risk Assessment Precedence - FMEA > Risk Matrix (Modified PHA) > Ishikawa? FMEA and Control Plans 11
M Risk Assessment & Contingency Planning (API Q1, 9th. Ed.) Oil and Gas Industry Standards and Regulations 9
P Example Risk Assessment for CAPA's Document Control Systems, Procedures, Forms and Templates 5
S Product Risk Assessment and Management Procedure per API Q1 9th Edition Oil and Gas Industry Standards and Regulations 8
J Timeframes for Risk-Based Biocompatibiilty Assessment Other Medical Device Related Standards 3
SteveK RoHS Conformity Risk Assessment - Medical Devices RoHS, REACH, ELV, IMDS and Restricted Substances 2
J API Q1-9 Critical Supppliers 5.6.1.2 and Risk Assessment Oil and Gas Industry Standards and Regulations 6
A Risk Assessment Considerations for various Activities Occupational Health & Safety Management Standards 10
S Can anyone share template for Device Risk Assessment ? ISO 14971 - Medical Device Risk Management 2
S Definition Technical Risk Assessment - Definition Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
Wes Bucey The Ethics of Risk Assessment Philosophy, Gurus, Innovation and Evolution 13
AnaMariaVR2 Structured Approach to Benefit-Risk Assessment in Drug Regulatory Decision-Making Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
M How to document Risk Assessment on Repeat Business AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
P What are FMEA Risk assessment techniques? FMEA and Control Plans 4
V Which Risk Assessment tool is adequate? FMEA and Control Plans 2
V How to Measure Effectiveness of Risk Assessment Processes FMEA and Control Plans 7
Wes Bucey Supply Chain Risk Assessment - Asia Floods Business Continuity & Resiliency Planning (BCRP) 1
V Examples of Risk Assessment (FMEA) through the Life Cycle of the Product Development ISO 14971 - Medical Device Risk Management 16
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
V PIC/S Committee has adopted an Aide-Memoire on Assessment of Quality Risk Management ISO 14971 - Medical Device Risk Management 2
S Hazard Identification and Risk Assessment - Can Risk Assessment be "Grandfathered"? Occupational Health & Safety Management Standards 4
G Pharmaceutical Risk Assessment - Use of Medical Staff Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 4
E Meeting ISO 10993-1 2009 Material Risk Assessment Requirements Other Medical Device Related Standards 13

Similar threads

Top Bottom