Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 Risk Assessment: Asset-based and Scenario-based

Risk assessment is a key part of the requirements of the ISO27001 standard and it’s a certainty that an organization won’t become certified unless this area has been addressed. But it’s one of the subjects that causes most confusion when on the journey towards certification, particularly the choice of what kind of risk assessment to carry out. In this blog article we look at two of the most popular ISO27001 risk assessment approaches: asset-based and scenario-based, and we discuss the pros and cons of each.

A bit of history...

In the 2005 version of the ISO27001 standard the choice was already made for you; asset-based risk assessment was the way to go, and the text was quite prescriptive:

4.2.1 Establish the ISMS

d) Identify the risks.

1) Identify the assets within the scope of the ISMS, and the owners of these assets.

2) Identify the threats to those assets.

3) Identify the vulnerabilities that might be exploited by the threats.

4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

So the discussion about how to do risk assessment was a bit limited.

The current version of ISO/IEC 27001 standard

In the 2013 version however, we were allowed to choose our own risk assessment approach, as long as it met certain criteria:

6.1.2 Information security risk assessment

The organization shall define and apply an information security risk assessment process that…

This didn’t mean that you couldn’t carry on performing asset-based risk assessments, you just didn’t have to. But this may explain why the asset-based method is still popular in ISMSs worldwide. The 2022 version of the standard has retained that flexibility.

So what is an asset-based risk assessment?

An asset-based risk assessment revolves around three main concepts:

  1. Assets
  2. Threats
  3. Vulnerabilities

Let’s look at each of these in turn.

  1. Assets

In theory, assets are anything that has value to your organization. In practice in an ISO27001 context we’re mainly talking about information assets and the infrastructure that supports them. An information asset is typically a set of data that your organization uses or stores in order to fulfil its purpose, so it could be a customer database, supplier records, financial data etc. The definition of asset also includes hardware and software and physical things such as buildings, but these tend to be secondary to the information assets, so for example a customer database is hosted on a server which runs Apache.

  1. Threats

A threat is something that might happen to your asset to affect its confidentiality, integrity or availability (the “CIA triad” – a central concept in ISO27001). So this could be a hacker (the “threat actor”) who breaks in to your server to steal your customer database (the asset) or more likely, to encrypt it and demand a ransom.

  1. Vulnerabilities

This is the concept that is probably the most difficult to really comprehend. What is a “vulnerability”? Well, basically it’s a weakness that hasn’t been fixed which makes it easier for the threat to attack the asset. A classic vulnerability is a software bug which hasn’t been patched, and there have been plenty of those involved in high-profile breaches over the years. But it could also be a configuration error, such as not securing your AWS bucket, or a lack of multi-factor authentication (MFA) on a logon to an important asset.

Putting it together

An asset-based risk assessment then involves looking at the threats to each of your assets and deciding whether there are any vulnerabilities that the threat could exploit to affect the CIA of your asset. For those that are above your risk appetite (that is, the degree of risk you feel comfortable with) you would then treat the risk using one or more controls.

For example, the narrative could be “it’s quite likely someone could hack into the server (threat) holding our customer database (asset) and encrypt it because we aren’t patching Apache properly (vulnerability) so we will purchase some software that patches it more reliably (control)”.

So how does a scenario-based risk assessment differ?

Whereas an asset-based risk assessment starts with a list of assets, a scenario-based one starts with a list of things that could happen (scenarios, very similar to our definition of threats above). So you would often start with a brainstorming session to come up with a list of scenarios to consider and then work through what would happen if they came about. In order to assess the impact correctly you still need to have a good understanding of your assets and of the existing controls that are in place, so this type of assessment is not wildly different to the one we have just described.

The narrative might include questions such as:

  • What would happen if someone hacked into our network?
  • What is the worst damage they could do?
  • How are we already addressing this risk?
  • What else could we do to make it harder for them?

Asset-based or scenario-based – which is best?

What’s important here is that your risk assessment is as comprehensive as you need and that it produces a set of actions that will genuinely improve your security posture. Most people would agree that a scenario-based approach is probably easier to understand but some would argue that this is because it is less structured and so some risks might be missed. However, the scenario-based method may allow your team to focus in on the big, important risks first to get those treated faster. The asset-based approach is likely to produce a longer list of risks which, whilst this means it is more comprehensive, could make your risk assessment unwieldy and harder to action.

In summary

It’s a reasonable statement that “the best risk assessment is the one you actually do”, because whichever method you use, the important thing is that you are encouraging everyone involved to think about risks. Either way, you’ll need to provide at least some basic training in how to conduct a risk assessment so that everyone is clear about the approach chosen.

And once you have a completed risk assessment you will be one step closer to achieving certification.

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. Note, this blog has been updated in November 22 to reflect the new 2022 standard. 


More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Thanks for saving me many, many hours of policy writing!

Le Rucher
France

View all Testimonials