Hi dear Team,
as we made the Risk Assessment initially, a couple of months ago, we've had some servers in one of the locations, which had high Risk levels. Now, we've moved them to the cloud, and don't have those risks anymore. Should we now perform the Risk Assessment again? If yes, should the previous version be saved as well?
Thank you!
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. as we made the Risk Assessment initially, a couple of months ago, we've had some servers in one of the locations, which had high Risk levels. Now, we've moved them to the cloud, and don't have those risks anymore. Should we now perform the Risk Assessment again?
ISO 27001 requires a risk assessment to be performed at planned intervals, or when significant changes are proposed or occur, and normally servers change can be characterized as a significant change, so you must perform risk assessment again.
But please note that moving servers to the cloud may not mean that all related risks are eliminated. Some of them may have been only transferred. For example, if your servers are in a service provider´s cloud, the physical related risks are now with the provider (e.g., physical servers hosting your virtual server can fail), and to handle this risk you must ensure the existence of proper security clauses in the contract or service agreement with the provider.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
2. If yes, should the previous version be saved as well?
ISO 27001 requires results of risk assessment to be kept, so the previous version of risk assessment must be kept.
This article will provide you a further explanation about record management:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
These materials will also help you regarding record management:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 12, 2021