We are trying to add our existing risk assessment/treatment into Eramba, however we followed the asset-threat-vulnerability approach to risks assessment, but Eramba follows the event-based approach.
ISO 27005 (the guidelines for information security risk management) proposes two approaches: the event-based approach and the asset-threat-vulnerability approach.
Has anyone encountered this, and if so, how did you go about converting the asset-threat-vulnerability approach to the event-based approach used in Eramba?
I’m getting the impression that we would need to redo the whole risk analysis to an extent, to get the individual risks (event-based) defined.
Thanks,
~Ken
