What is Better? Process or Asset Risk Assessment

As many of you know this is one of the main projects in the ISM community and there are some different perspectives of the best method to perform and Risk Assessment.  I am really hoping to get some good feedback across industries on this question.


Where does the Risk Assessment methodology come from?

I know many asset risk assessments are based on the NIST and OCTAVE methods, which is usually the work I perform.  Many of the process based risk assessments I have seen are done by auditors (the Big 5 type companies).  When reviewing many of these I notice they all seem different, thus I’m not sure the method’s they follow (some use COBIT).  Most organizations I have consulted to use the Audit department to perform the process risk assessment while the asset risk assessment is usually done in a separate group or by information security. 


Asset Risk Assessment: Brief overview

The asset based risk assessment that I perform usually focuses on asset risk in terms of the people, processes, and technology.  With that said I do not map every process, like a process risk assessment.  The end result of the assessment is a list of asset groups (prioritized by severity), threats (assigned a value based on likelihood) mapped to each asset group, and vulnerabilities (ranked by impact and how easy it is to compromise) associated with each asset group.  All of these (assets, threats, vulnerabilities) have scores associated with them that when added up produce a risk score.  Then risk prioritized recommendations are created to remediate the vulnerabilities.


We need both!

Is the asset assessment better than a process assessment?  I don’t think so, but most organizations that I have consulted (on risk assessment) have problems with a process based risk assessment when it is done alone.  However, when combined together both methods usually cover most areas of risk.  Again, I don’t think either one is better than the other.  I believe we need a mechanism in place to assess both the asset and its associated processes.  


What is your view?



  1. Dear,

    This is a very interesting topic and I thank you for discussing it. If you’ve process based assessments, it would be great if you can share some samples. I’m also wondering why process based assessment will not be enough? Is it because you usually find assets that you cannot map to certain assets? Although this must be challenged as an asset that is not supporting any business process, should not be there in the first place. I hope we can discuss this more.

    Thank you

  2. Sorry, I meant assets you cannot map to a business process, on the fourth line of my previous comment

  3. Heya i’m for the primary time here. I came across this board and I in finding It truly helpful & it helped me out a lot. I’m
    hoping to offer something again and aid others like you helped me.

  4. hey there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise some technical issues using this website, since I experienced to reload the website a lot of times previous to I could get it to load correctly. I had been wondering if your hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high-quality score if ads and marketing with Adwords. Anyway I am adding this RSS to my email and could look out for a lot more of your respective fascinating content. Make sure you update this again very soon.

  5. That is really attention-grabbing, You’re an excessively skilled blogger. I have joined your feed and look forward to in quest of extra of your excellent post. Also, I’ve shared your website in my social networks

  6. Understanding the business, identifying the critical business processes and later mapping these processes with the critical assets. I guess thats the funda.

  7. Webmasters and marketers might have worked hard to bring their website to the world, but most found out that theirs
    has not been really successful with little visibility in the wider
    market and are getting frustrated that all the work could be wasted.
    In the package you will also find comments by niche, tutorials, tools, proxy sources and future discounts on our products.
    While other posting Software may offer pinging your links
    in hopes that they get crawled and indexed by the Search Engine, GSA
    Search Engine Ranking software provide full option for integrating with the
    most popular link indexing platforms like GSA Indexer, Lindexed, Linklicious, &

  8. With havin so much written content do you ever run into
    any poblems of plagorism or copyrigt violation?
    My blog hass a lot of completely unique content I’ve either written
    myself or outsourced but it looks like a lot of it is popping iit up all over the internet without
    my agreement. Do you know any solutions to help reduce content from being stolen?
    I’d certainly appreciate it.

  9. Wow that was odd. I just wrote an extremely long comment but after I clicked submit
    my comment didn’t appear. Grrrr… well I’m not writing all that
    over again. Anyway, just wanted to say superb blog!

  10. Everything is very open with a clear clarification of thhe
    challenges. It was efinitely informative. Yoour site is very useful.

    Thank you for sharing!

  11. Cause I’ve written and I’ve written and I’ve written but I don’t have a direction right now.

    Colossal Legends doesn’t need a returning tale,
    recognize it fairly definitely. They try not to combat one after one and there is no standby beast once
    the types in struggle were killed.

  12. I’m impressed, I have to admit. Seldom do I come across a blog that’s both equally
    educative and engaging, and let me tell you, you have
    hit the nail on the head. The problem is something not enough folks are speaking intelligently about.
    Now i’m very happy that I stumbled across this in my search for something relating to this.

  13. Unlike traditional bonuses which might restrict your play, rakeback offers you rebates on rake based upon your Monthly Gross Revenue (MGR) towards the poker network.
    Stephen Krex and Rush Poker is surely an interesting new spin for your
    beloved game at Full Tilt Poker. 5 Card Draw, HORSE,
    Razz and 8-game are merely several various poker games you
    can chose to play, so Poker – Stars are more or less the
    only place you need to look, when you wish to try out your preferred poker game.

  14. I see you don’t monetize infosecalways.com, don’t waste your traffic,
    you can earn additional bucks every month
    with new monetization method. This is the best adsense alternative for any type of website (they approve all sites), for more info simply search in gooogle: murgrabia’s tools

Leave a Reply to BestCarla Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s