our ISO 27001 auditor wants us to evaluate asset risks (impact, likelihood) not just one per asset risk but on each of the three dimensions C-I-A. Likelihood might not be different but impact could be evaluated on the impact on confidentiality, integrity, availability.
Is there are feature planned? Or a workaround? I can only think of creating each risks three times (for each C-I-A) but that would be very much effort.
Hi, we added a custom field to record the appropriate C-I-A marking against each risk. you can then report by creating filters.
You could use the ‘Multiple Matrices - Multiplication’ option in the Settings/Calculation Method and add 3x Impact classifications for C, I, and A. This will allow you to perform 3 assessments per risk. It takes a bit of setting up for the matrices, but works great once done.
what iso standard are you certifying? iso 2013 and 2022 do not require this.
CIA is referenced in Classification of Information for both 2013 and 2022. We got pulled up on it a few years ago and is now regularly tested.
this post is about risk management and scoring risks basef on CIA (see title), classification of information is a different story. or am i missing something here?
I am aware of that, but the author is asking how to accomplish evaluation within Eramba and I gave him a solution that satisfies our auditors (KPMG).
CIA is not a reuiqrement of risk managemnt in ISO since 2013 (10 years now).
do a Control + F of the entire 2013 standard on the keywords “CIA” or “Confidentiality” or “Integrity” and “Availability” and there will be no connection in between ASSETS and that. But perhaps im wrong…and you or kpmg can poin to the requirement that requires CIA for assets.
I think the CIA would be triggered based on the 4.3 Scope statement. If assets are included in the ISMS, thewy would be in play. We haven’t been dinged yet, but we are sitting for our ISO 27001:2022 this week, so it may come up.
We assess our asset risks based upon ineffective or missing security controls which are likely to result in risks to Confidentiality, Integrity and or Availability for a specific asset. Our risk assessment guideline is to have a maximum of three risks, one for each of the information security holy trinity (CIA).
We do this to make risk assessments consumable for Leadership (ISO27001:2013 - 5.1), and to “… ensure that repeated information security risk assessments produce consistent, valid and comparable results” (ISO27001:2013 - 6.1.2(b)).
Our procedure is for an asset to have a risk assessment which can result in zero to three risks. Each risk is associated with the asset, and all risks for the asset if mitigated are associated to a Project. Each project task is remediating one risk, but a project can have multiple remediation tasks per risk.
Our procedure makes it clear to understand the security control gaps for CI or A, and what remediation tasks are needed to reduce the risk.
This approach has also been very successful in getting middle management and asset custodian buy-in to our risk assessment and review procedures, as it is clear what is needed to be done to reduce the risk.
Every organisation’s procedures are different. This is how we’ve made it work for us. Our external ISO27001 assessor has not raised any concerns about our current methodology and procedure.
exactly, everyone is different.
and he/she can’t even if he/she would like, because since 2013, and thank god, ISO is far more generic as to how people decides to do risk management because they understood (it took them many years) that … as you well say: “Every organisation’s procedures are different”.
NOTE: we plan later this year to enhance our security classification and risk assessment methodologies to include the “Safety” dimension to assess risks related to industrial control systems and operational technologies. This will result in a maximum of 4 risks per asset.
I had the same request from my ISO 27001:2013 auditor and was using Eramba as the ISMS. All I did was add the CIA perspective into my commentary in the Risk Description and Analysis text fields. So rather than:
“There is a risk that data can be exposed”;
I would enter:
“C: Exposure of data would result in a breach of confidentiality.
I: This risk would not result in data being modified, therefore no integrity risk.
A: This risk could result in system being unavailable, but is unlikely.”
My auditor was satisfied with this approach.