Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

Expert Advice Community

Home / ISO 27001 & 22301 / Challenges on risk assessment and treatment

Guest

Challenges on risk assessment and treatment

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   May 15, 2018 Last commented:   May 15, 2018

Challenges on risk assessment and treatment

ISO 27001 & 22301
1. How to calculate the risk rating- Calculation of threat value and vulnerability value.
0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.
Expert
Rhand Leal May 15, 2018

Answer: To calculate, or define, the values of threat and vulnerability you must consider historical / statistical data (either from the own organization or related to your industry) and the opinion of your personnel that better knows the assets and the process you are assessing. The information available will allow you either to calculate the values based on quantifiable data or adopt values based on the perception you and your team will have from the situation.

It is important to note that for ISO 27001 there is no need to assessing threats/vulnerabilities value to calculate the level of risk.

These articles will provide you more information:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https ://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

2. How to write the findings and recommendations in the assessment report with the overall risk rating and security ranking?

Answer: ISO 27001 does not require the findings of the assessment report to be linked directly with overall risk rating and security ranking (in fact include this correlation would result in a report excessively complex with little added value).

Regarding recommendations, for each finding the consultant should provide at least one or two recommendations on how to handle the situation (e.g., controls to minimize probability and/or impact of a risk occurring)

3. Kindly do let me know how to update the overall score and risk rating (Highlighted in Red box)

Answer: If by the the overall score and risk rating you mean the level of risk associated to the findings identified in the assessment, then the way to improve the score and the rating is to introduce controls which will decrease the risk, by handling the findings.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 15, 2018

May 15, 2018

Suggested Topics
Guest user Created:   Mar 31, 2022 ISO 27001 & 22301
Replies: 1
0 0

Merging ISMSs
Guest user Created:   Feb 28, 2019 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 implementation challenges
Guest user Created:   Jan 12, 2016 ISO 27001 & 22301
Replies: 1
0 0

PDCA and security controls