Question - Risk aligned to C, I or A?

We are going through ISO27001:2013, and recently had the first part of our 1st stage audit.
One of the observations made by our assessor was that our risks need to be scored against the impact to either the Confidentiality, Integrity or Availability of an asset.

Does anyone have any thoughts on how this is best achieved? I was thinking of using the “tag” field to record which area the risk impacts the most, and tag the risk as that. If needed, I may have to duplicate some risks (where a risk currently impacts multiple of the CIA options - it seems our auditor expects to see individual risks rather than a “grouped risk” which deals with multiple elements of CIA).

If anyone has any thoughts or input, I’d be grateful of experience in this area.


Normally one would assess risk based on the asset(s) connected with the risk, and CIA would be risk or asset classifications. eramba supports this, using classifications you can asses risks and apply a probability magnifier based on likelihood of risk materialising.

We chose the Octave Allegro risk assesment methodology, where u tag the asset with the most important property of an asset (C,I,A) and score it against a set of classifications (we use: Health, productivity, legal/penalty, reputation, financial) and asses the asset-risk impact, from low-medium-high perspective considering the tag… (C I A)…

in this manner you asses the threats to you assets and the negative value of risk impacting your assets.

i hope it makes sense :slight_smile:

We classify risks with the following classification model, as you see we consider the CIA items:

And calculation methodology:

When we calcualte a risk, it looks like this:

Another option would be to use Magerit - we dont use it because it requires classifying assets and we dont have much time to spare (we dont think doing that gives as more “accuracy” on our risk score, but that is only our expeirence of course!).

The documentation that explains how they work is here:

This weekend we have 12 hours long flight so we plan to read all three methodologies proposed by jonas and others and work out how to plug them as additional calculation methodologies.

Hope this helps!

Reference to the other risk post were we discuss other risk methodologies: