Question - Advice for adding asset-threat-vulnerability style risk methodology into Eramba

keramba · June 11, 2024, 5:02pm

We are trying to add our existing risk assessment/treatment into Eramba, however we followed the asset-threat-vulnerability approach to risks assessment, but Eramba follows the event-based approach.

ISO 27005 (the guidelines for information security risk management) proposes two approaches: the event-based approach and the asset-threat-vulnerability approach.

Has anyone encountered this, and if so, how did you go about converting the asset-threat-vulnerability approach to the event-based approach used in Eramba?

I’m getting the impression that we would need to redo the whole risk analysis to an extent, to get the individual risks (event-based) defined.

Thanks,
~Ken

kisero · June 12, 2024, 7:14am

I would suggest to quote the source in more detail, page, paragraph, etc.

mathias · February 12, 2025, 1:30pm

ISO/IEC 27005:2022 Page 17 Chapter 7.2.1 (a) Event-based, (b) Asset-based

I’m currently in the same abstract discussion with our customers. Your advice is appreciated.

kisero · February 12, 2025, 3:32pm

there is nothing about risk in 7.2 item of the iso 27001 2022 version. we are probably not understanding each-other.

khjsecteam · February 14, 2025, 7:22am

You are referring to different ISO documents, 27001 and 27005.

Moreover, @keramba I wonder why you are adding and not multiplying the impact and likelihood in your table. Is that done on purpose?