Scenario based risk assessment

#1
Can someone help me with an ISO 27001 scenario-based risk assessment? Though I have a decent understanding of asset-based risk assessment, I'm not sure if it's the same.

Thanks,
Pappu.
 
Elsmar Forum Sponsor

Thee Bouyyy

Multiple Personalities
#2
@pappu Welcome to the Cove! I am not familiar with ISO 27001. I am aware about the scenarios-based risk assessment. Experts from ISO 27001 will correct me later on if I am wrong.

So, first we will start with the definition of scenario-based assessment. A scenario-based assessment is a risk assessment that’s directed toward a specific threat, concern, or hazard. Rather than assessing the vulnerability of an entire organization, a scenario-based assessment evaluates the risk of one specific scenario happening. Scenario-based assessments aren’t something you do just once.

It’s important to remember that to calculate risk, you must assess both the probability of an event happening, and the severity of its impact, should it occur. Some events might be unlikely, but if they actually happen and you’re unprepared, those events could be catastrophic.

There are some practices for scenario-based assessments:

Forecast - You should have a plan for it, if you can forecast the scenario. You should constantly be assessing the risk of various scenarios, because new risks appear often and old risks evolve. Basically, if you can foresee it happening, it should be assessed.

Importance - You have to identify and decide that which scenarios are most important. What you can do is, make a list of all your scenarios and assign them each a probability and severity score of some kind. Then you’ll have a ranking. Start by assessing the scenarios with the highest probability and highest severity, and work your way down.

Actions - Know what countermeasures each calls for to reduce the probability and then find the best way to respond, adapt and recover from each scenario to reduce the severity.

Gaps
- You have to understand your gaps. What countermeasures do you have in place right now? What do you need to implement, and how much will that cost? Prioritize your deficiencies and your remediation's. Then create a schedule that tells you when to implement additional countermeasures.

Schedule - You have to be ready with assessment schedule. Don’t try to do every assessment at once. Instead create a full year/month/week schedule of assessments, starting with the most risky scenarios and cycling through every foreseeable risk.

Monitoring - You have to monitor continuously. Risk is dynamic and changes everyday. When a new threat becomes more probable, immediately assess and evaluate for that specific scenario.

Respond - Last one is your respond to actual threat.

Have a nice day ahead :)
 
Thread starter Similar threads Forum Replies Date
A How to Write CAR (Corrective Action Request) based on scenario Nonconformance and Corrective Action 3
R Lead auditor scenario (Need help) is this non conforming to ISO13485 Manufacturing and Related Processes 2
M Informational UK – Contingency legislation covering regulation of medicines and medical devices in a no deal scenario – Human Medicines and Medical Devices (Amendm Medical Device and FDA Regulations and Standards News 3
M Informational UK – Regulating medical devices in the event of a no deal scenario Medical Device and FDA Regulations and Standards News 0
M Informational UK – Businesses supplying medicines and medical devices – what to expect on day one of a ‘no deal’ scenario Medical Device and FDA Regulations and Standards News 1
M Informational Design for new product safety marking for the no-deal Brexit scenario Medical Device and FDA Regulations and Standards News 1
M Informational UK – Contingency legislation covering regulation of medicines and medical devices in a no deal scenario Medical Device and FDA Regulations and Standards News 1
V Corrective Action for a scenario where Assignable Cause is not confirmed Nonconformance and Corrective Action 4
I FDA Medical Device Registration - Scenario - Two Companies 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
S Scenario to illustrate the meaning of CAPA Nonconformance and Corrective Action 7
A Can I do Quality System Audit instead of Procedure Audit in this scenario? Internal Auditing 9
D Is an NCR required in this Customer Complaint scenario? Nonconformance and Corrective Action 6
Rameshwar25 Who has Design Responsibility in this Scenario - Rubber Parts Manufacturer IATF 16949 - Automotive Quality Systems Standard 23
M Can anybody help me with Management Review scenario please? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
J The best way to address this Document and Record Control scenario! Document Control Systems, Procedures, Forms and Templates 9
Q Can I use Regression Analysis in the following scenario Statistical Analysis Tools, Techniques and SPC 18
K How can you relate this scenario to a Nonconformity? Occupational Health & Safety Management Standards 4
D Workflow showing Sequence and Interaction of Processes in a Recruitment Scenario ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
D Can both the Client and the Candidate be the Customer in a Recruitment scenario ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
W How to justify Widened Control Limits - No Assignable Cause scenario Statistical Analysis Tools, Techniques and SPC 26
S How many tester quantity we need on the line based on the cycle time and peak volume Manufacturing and Related Processes 3
S Alcohol based cleaner for Food Contact Surface? Food Safety - ISO 22000, HACCP (21 CFR 120) 0
I Excel based Gage R&R VS Minitab calculation Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
C CBD based products registration in EU and UK EU Medical Device Regulations 4
L Economic Operator based in UK EU Medical Device Regulations 10
C Biologic Evaluation based on ISO 10993-1 EU Medical Device Regulations 2
R Select the 1 Supplier based on the Parts Durability from 6 Supplier Samples using Minitab Using Minitab Software 11
H Existing cloud based medical device - questions regarding improving the processes IEC 62304 - Medical Device Software Life Cycle Processes 6
A % of defects on the whole batch based on result from inspection under AQL Level II Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
Ed Panek Does this FDA Requirement Apply to international (not USA) distributors for USA based manufacturing companies? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
R X-RAY Based Diagnostic Veterinary medical Devices Medical Device and FDA Regulations and Standards News 2
T Controlling Expandable Forms in Paper-Based Document Control System Document Control Systems, Procedures, Forms and Templates 10
M Reduce occurrence rating based on the PMS data and customer complaint data ISO 14971 - Medical Device Risk Management 2
K Interesting Discussion "World Class Product" based QM. I need advice. Quality Management System (QMS) Manuals 14
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
Sidney Vianna IATF 16949 News Risked Based Audit Day Calculation IATF 16949 - Automotive Quality Systems Standard 2
S Annual Inspection Layout - Based on Customer print ? IATF 16949 - Automotive Quality Systems Standard 8
F IVD registration in EU - Northern Ireland based company EU Medical Device Regulations 0
M Medical device substance based-leachables Other Medical Device Related Standards 2
A API Spec Q1 Purchasing Process - Supplier Reevaluation based on Supplier Risks 5.6.1.4 Oil and Gas Industry Standards and Regulations 19
P Testing cloud-based backups IT (Information Technology) Service Management 7
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
P Conformity assessment based on a quality management system or production quality assurance EU Medical Device Regulations 3
DuncanGibbons Model-Based procedures and Architecting the QMS as a System Document Control Systems, Procedures, Forms and Templates 2
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
B Do you use paper or web-based templates for CAPA processes? ISO 13485:2016 - Medical Device Quality Management Systems 3
B How to classify a medical device based on MDR? EU Medical Device Regulations 3
I How to classify a medical device based on FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
D Tolerance definition based on expected Cp/cpk Reliability Analysis - Predictions, Testing and Standards 14
S Risk based internal auditing Internal Auditing 6

Similar threads

Top Bottom