Warning: include_once(/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php): failed to open stream: Permission denied in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304

Warning: include_once(): Failed opening '/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304
ISO/IEC 27005 « The InfoSec Blog
The InfoSec Blog

How much Risk Assessment is needed?

Posted by Anton Aylward

In many of the InfoSec forums I subscribe to people regularly as  the "How long is a piece of string" question:

How extensive a risk assessment is required?

It's a perfectly valid question we all have faced, along with the "where do I begin" class of questions.

The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn't tell you the detail necessary. You can choose to say "desktop PCs" as a class without addressing each one, or even addressing the different model. You can say "data centre" without having to enumerate every single component therein.

At first.