One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats

(and vulnerabilities) to every asset – that means that you have to

consider whether every threat from your list is related to each of

your assets.

“All”? “Every”?

I certainly hope not!

Unless you have a rule as to where to stop those lists – vectors that you are going to multiply – are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See

http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/

for a more complete discussion of this aspect of ‘risk’.

See

http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/

in which Jeff Lowder has a discussion of the “utility value” approach to controls

Because its the controls and their effectiveness that really count. Continue reading All Threats? All Vulnerabilities? All Assets?