Evaluation of the impact of the identified risks
Assign topic to the user
To calculate the risk, you have to assess two main components: impact and likelihood. In most cases the scales for those two components are the same (e.g. low-medium-high for both, or 1 to 5 for both).
However, if you assess business continuity risks, you can add additional weight to high impact if you feel this will better represent the resulting risk - in other words, you are free to set you risk assessment methodology as you see fit.
Regarding the acceptable level of risk, it is set for the risk itself, not separately for the components (impact and likelihood).
This article may help you: H ow to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Comment as guest or Sign in
Jan 12, 2016