On the ISO27000 Forum list, someone asked:
I’m looking for Risk statement for each ISO 27k control; meaning
“what is the risk of not implementing a control”.
That’s a very ingenious way of looking at it!
One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?
Ingenious aside, I’d be very careful with an approach like this.
Risks and controlsare not, should not, be 1:1. Continue reading About ISO 27001 Risk Statement and Controls
One list I subscribe I saw this outrageous statement:
ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset – that means that you have to
consider whether every threat from your list is related to each of
I certainly hope not!
Unless you have a rule as to where to stop those lists – vectors that you are going to multiply – are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.
for a more complete discussion of this aspect of ‘risk’.
in which Jeff Lowder has a discussion of the “utility value” approach to controls
Because its the controls and their effectiveness that really count. Continue reading All Threats? All Vulnerabilities? All Assets?