27k1 Risk Assessment
The 27k1 ISMS is very flexible, allowing differing types of risk assessment methodologies to be carried out without the need to configure the app with various settings.
You can carry out different types of risk assessments at any time, for example a newly introduced server can be risk assessed while also risk assessing key business processes.
The following instructions help you to carry out various types of risk assessments.
Use Business Scenarios to carry out risk assessments on key business drivers, processes, intellectual property of any other non-related asset-based risk assessment methods.
If an asset-based risk assessment is performed, then assigning Business Scenarios is an excellent complement to strengthen the whole risk assessment process.
Primary Information Assets
The ISO 27005 standard refers to primary and supporting assets, the 27k1 ISMS using these guidelines to perform the risk assessment.
ISO 27001 supporting assets types are included in the 27k1 ISMS; however, cryptographic certificates, named “Encryption”, are added to the list of supporting assets to bring awareness to implementers the importance of encryption not being overlooked.
Vulnerability and Threats
The vulnerability and threats or threats and vulnerabilities menu item provide a long list to choose from, vulnerabilities and threats not included on the lists can easily be added.
If vulnerabilities and threats are not required, create a new vulnerability and threat and name them accordingly, such as “Not Applicable”.
For each asset or business scenario select the required vulnerability and threat from the drop-down menus, the 27k1 ISMS remembers your last selection.
Asset values are assigned to the primary and supporting assets and provide a priority to the list of remedial actions required to treat the risks. If valuations are not required, simply set the sliders accordingly.