There was a concern raised in one of the Audit that ‘Probability’ keyword should not be used in the Risk Assessment because it is a mathematical term and if we use the term, then the value should be between 0 & 1. To elaborate further, if we use the term ‘Threat Probability’ then the value has to be based on the mathematical term.

However, ISO 27005:2008 clearly states (Section 3. Term & Definitions, sub-section 3.5 .risk estimation – Note 2) that ‘likelihood’ is used instead of ‘probability’ in the standard. This gives a clear indication that for the standard, probability & likelihood is the same and we may not worry about the mathematical meaning.

So what about your risk assessment methodology?, are you using the word ‘Probability’ or ‘Likelihood’. In my viewpoint both can be used as the standard clearly says that they are the same, hence we should look at the English meaning rather than the mathematical meaning while using this in the risk assessment.