One list I subscribe I saw this outrageous statement:
ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset – that means that you have to
consider whether every threat from your list is related to each of
I certainly hope not!
Unless you have a rule as to where to stop those lists – vectors that you are going to multiply – are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.
for a more complete discussion of this aspect of ‘risk’.
in which Jeff Lowder has a discussion of the “utility value” approach to controls
Because its the controls and their effectiveness that really count. Continue reading All Threats? All Vulnerabilities? All Assets?