Advice for carrying out risk identification in ISO27005:2011

Question

I am currently required to carry out an information security risk assessment for an assignment, using the ISO 27005:2011 standard, for the Equifax data breach that occurred in 2017, https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

What I've gathered from chapter 8 of the 27005 document so far is that the risk assessment process is generally divided into three sections. First, risk identification followed by risk analysis and risk evaluation.

I am currently working on the risk identification section and would appreciate any assistance on methods or techniques I can use to appropriately identify some assets, threats, vulnerabilities and controls relevant to the incident above or more generally. (I'm not looking for the actual items, just ideas on what to look for in the articles related to the incident)

You have to start with the assets. Everything else hands off of that first part. The Krebs article you linked does not describe anything that you would need to perform an asset identification (use a different article). — schroeder, Nov 30 '18 at 23:21
This question looks to be very broad. The methods used to identify assets, threats, vulnerabilities and controls are numerous. And doesn't the ISO 27005 lay out some techniques to use? I'm guessing that the problem is not with the risk approach you use but finding the right information on which to use those techniques. And that's just a research methods question. — schroeder, Nov 30 '18 at 23:27
Thanks for your reply, I will try to research for some better articles in that case. I also reviewed the standard and found that Annex C actually goes into depth on some of the different types of asset classes. Could you kindly recommend me any good places/sources to find more information about security incidents like this one? — 2nce, Dec 01 '18 at 11:07

Advice for carrying out risk identification in ISO27005:2011

0 Answers0