Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
The organization shall conduct risk assessments in which risk is determined by threats, vulnerabilities and impact on business processes and assets.
Guidance
- Keep in mind that threats exploit vulnerabilities.
- Identify the consequences that losses of confidentiality, integrity and availability may have on the assets and related business processes.
The organization shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and the likelihood of their occurrence.
Guidance
- Risk assessment should include threats from insiders and external parties.
- Qualitative and/or quantitative risk analysis methods
(MAPGOOD, ISO27005, CIS RAM, …) can be used together with software tooling.
Risk assessment results shall be disseminated to relevant stakeholders.