One example of this is the ISO27005 process, which is primarily
            a qualitative approach using the range of values for both impact
            and likelihood of Very Low, Low, Medium, High, and Very
            High. Other methods, such as the NIST SP 800-30, uses three
            levels of ranking.





























            Using a table of values such as this may allow a little more
            understanding and acceptance of the value of the risk assessment
            above and beyond the declaration of an absolute value for risk,
            as seen with a quantitative approach.

            A qualitative risk assessment approach often relies on the input
            of many individuals representing all the lines of business and
            viewpoints. The value of this is that it often highlights the
            dependencies and relationships between departments.