ISO27001 accreditation isn’t granted without a risk assessment. Choosing a risk assessment is one of the most complex phases of certification.
Asset-based risk assessment comprises three parts:
1. Assets
2. Threats
3. Vulnerabilities
Each individually.
Assets
Businesses value assets. ISO27001 covers IT infrastructure and assets. Client database, supplier records, financial data, etc. are information assets. Information is more important than hardware, software, and structures. Apache hosts customer databases.
Threats
Threats jeopardise asset secrecy, integrity, or availability (the “CIA trio” – a core term in ISO27001). A “threat actor” may break into your server to steal or encrypt your customer database.
Vulnerabilities
It’s hard to grasp. Vulnerability… Unpatched vulnerabilities make attacks easier. Unpatched software vulnerabilities have caused high-profile hacks. It could be a configuration mistake, like not securing your AWS bucket or activating MFA on a key asset login.
Puzzle-solving
An asset-based risk assessment evaluates risks to each asset and if they can exploit weaknesses to harm CIA. Control your risk tolerance.
Because we’re not resolving Apache (vulnerability), someone may encrypt our client database (asset). We’ll buy patching software (control).
Scenario-based risk assessment is different.
Unlike asset-based risk assessments, scenario-based begins with events (scenarios, very similar to our definition of threats above). You’d brainstorm different scenarios, then analyse each. This assessment also demands a deep understanding of your assets and existing controls.
What if a hacker hacked our network?
Worst harm?
What should we do?
How might we complicate their work?
Scenario-based planning or asset-based?
Your risk assessment should include a list of security-boosting tasks. Most say a scenario-based approach is easier to learn, while some say it’s less structured and may overlook difficulties. Scenario-based planning may assist your team priorities challenges for faster resolution. Asset-based approaches may yield a longer list of dangers, making risk assessment more time-consuming.
Ultimately
The best risk assessment is the one you undertake, because everyone should analyse risks. In any instance, risk assessment training is required.
After risk assessment, certification is closer.