BS ISO/IEC 27005 pdf download – lnformation technology-Security techniques ——lnformation security risk management.
An asset is anything that has value to the organization and which therefore requires protection. For the identification of assets it should be borne in mind that an information system consists of more than hardware and software.
Asset identification should be performed at a suitable level of detail that provides sufficient information for the risk assessment. The level of detail used on the asset identification will influence the overall amount of information collected during the risk assessment. The level can be refined in further iterations of the risk assessment.
An asset owner should be identified for each asset, to provide responsibility and accountability for the asset. The asset owner may not have property rights to the asset, but has responsibility for its production. development, maintenance, use and security as appropriate. The asset owner is often the most suitable person to determine the asset’s value to the organization (see 8.3.2 for asset valuation).
The review boundary is the perimeter of assets of the organization defined to be managed by the information security risk management process.
More information on the identification and valuation of assets as related to information security can be found in Annex B.
Cutout: A list of assets to be risk-managed, and a list of business processes related to assets and their relevance.
8.2.3 Identification of threats
Information on threats obtained from incident reviewing, asset owners, users and other sources, including external threat catalogues.
Action: Threats and their sources should be identified (relates to ISO/lEG 27001:2005, Clause 4.2.1 d) 2)).
Implementation guidance:
A threat has the potential to harm assets such as information, processes and systems and therefore organizations. Threats may be of natural or human origin, and could be accidental or deliberate. Both accidental and deliberate threat sources should be identified. A threat may arise from within or from outside the organization. Threats should be identified generically and by type (e.g. unauthorized actions, physical damage, technical failures) and then where appropriate individual threats within the generic class identified. This means no threat is overlooked, including the unexpected, but the volume of work required is limited.
Some threats may affect more than one asset. In such cases they may cause different impacts depending on which assets are affected.
Input to the threat identification and estimation of the likelihood of occurrence (see 8.3.3) may be obtained from the asset owners or users, from human resources staff, from facility management and information security specialists, physical security experts. legal department and other organizations including legal bodies, weather authorities, insurance companies and national government authorities. Aspects of environment and culture should also be considered when addressing threats.
BS ISO/IEC 27005 pdf download – lnformation technology-Security techniques ——lnformation security risk management
