ISO 27001 Asset Based Risk Assessment

To meet ISO 27001 risk assessment requirements an asset based approach is perhaps the simplest way to conduct one. This involves evaluating the risks in relation to your information assets, such as paper-based documents, intellectual property, digital information, storage devices, laptops, and hard drives.

To start, it is advisable to refer to your asset register or create a list of all the assets that could impact your information. This can be achieved through interviews with asset owners within your organization. The next step is to identify the risks, which are combinations of threats and vulnerabilities that can affect these assets.

According to the ISO 27000, a threat is a potential cause of unwanted incidents that can harm a system or organization, while vulnerability refers to weaknesses in assets or controls that can be exploited by threats. In terms of information security, risk can be defined as the potential for threats to exploit vulnerabilities and cause harm to the organization.

By systematically analyzing threats and vulnerabilities for each identified asset, you can determine a set of risks associated with each asset. However, this task can be time-consuming as you need to consider different scenarios that may affect your office, computers, employees, etc., along with the likelihood of these events occurring. Risk calculations must be performed to determine the impact and likelihood of each risk, helping you establish whether it falls within your acceptable risk criteria or threshold.