Guest user Created: Jan 04, 2022 Last commented: Jan 04, 2022

ISO 27001 package question regarding risk assessment

thanks for the call last week! I proceeded with the risk assessment. Just a small question: The evaluation of probability of a risk already takes into account the measures that we already have implemented - is that correct? Because in the methodology it says:

So that means: If we already have implemented several security measures for certain risks, the probability will be low in the risk assessment. This would lead to a quite small amount of not acceptable risks (3 or higher) that would be transfered to Anhang 2 "Verzeichnis Risikoeinschätzung" (currently around 12 risks to be transfered in our case). Did I understand this correctly? Or do we need to evaluate the risk without taking into account the measures we already have? Thanks for your help!

Tags: Product: ISO 27001 Documentation Toolkit

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jan 04, 2022

If you already have implemented controls you need to take them into account when analyzing the risks, so your understanding is correct. In the Risk Assessment Table, in the last column, you can describe which controls are already implemented.

For further information, see:

ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This material will also help you regarding risk assessment:

Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 04, 2022

Expert Advice Community