1.4 KiB
Qualifying vs quantifying risks
Qualifying risks (qualitative risk assessment) involves describing and categorizing risks using descriptive scales or labels—such as rating likelihood as "low, medium, high" and impact as "minor, moderate, severe"—focusing on understanding the nature and relative severity of risks without precise numerical values.
Quantifying risks (quantitative risk assessment) involves measuring risks using specific numerical values—such as calculating the probability as a percentage (e.g., 15% chance per year) and impact in monetary terms (e.g., €50,000 loss)—providing precise, measurable data that can be used for detailed cost-benefit analysis and statistical modeling.
Clause 6.1.2 writes we should "assess the potential consequences" and "realistic likelihood" of risks occurring, but the standard doesn't say anything about how these should be established (just that that the chosen method must produce "consistent, valid and comparable results").
The core requirements in ISO/IEC 27001 remain method-agnostic as long as the steps above are met and results are consistent and comparable.
The organization must set its own criteria for determining risk levels and risk acceptance criteria. The organization defines these elements based on its specific needs, size, structure, objectives, and risks.
The standard does not say anything about if qualitative or quantitative risk assessment should be applied.