What methods for undertaking a risk assessment are acceptable in ISO/IEC 27001:2013?

In the latest version of ISO/IEC 27001:2013 it has now become acceptable to employ other tools and techniques for undertaking a risk assessment, besides the asset-based approach detailed in ISO/IEC 27005. The asset-based approach detailed in ISO/IEC 27005 is still a fully acceptable approach to employ, however you can now use other methods, techniques and tools to carry out your risk assessment.

But where do you find guidance on what other tools and techniques are acceptable?

There has been a lot of talk about how risk management for ISO/IEC 27001:2013 is now dealt with in ISO 31000. Whilst this is true, the actual guidance on what other methods you can employ to undertake a risk assessment can be found in the standard ISO/IEC 31010. This standard goes into these other tools and techniques in some depth; it details at which part of the risk assessment process they can be employed, provides an overview of each and details their respective inputs and outputs.

If you want to employ a new approach to risk assessment, ISO/IEC 31010 would seem to be a standard you need to read! 

 

Share now…

Share on Twitter Share on Facebook Share on LinkedIn