Expert Advice Community

Home / ISO 27001 & 22301 / How often the risk review needs to be done?

Guest

How often the risk review needs to be done?

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Jan 14, 2019 Last commented:   Jan 14, 2019

How often the risk review needs to be done?

ISO 27001 & 22301
How often is good best practices to risk assess all SOA controls once we initially do during implementation?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.
Expert
Dejan Kosutic Jan 14, 2019

SOA controls are implemented due to various reasons like Best Practices, Legal, Contractual, or out of risk assessments.

Answer: You should review your current risk assessment at least once a year, or if any bigger change happens - e.g. change of technology, change of location, change in your products or services, change in legislation, etc.

Is it good to categorize the controls implementation like this and do assess all controls every quarter or only during any technology or regulatory changes?

Answer: I didn't see in practice this kind of categorization, and it seems to me it won't be useful - as mentioned above, the review needs to be triggered by any significant changes.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 14, 2019

Jan 14, 2019

Suggested Topics
Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 0
0 0

Risk treatment plan
Atheer AlMartan Created:   Feb 11, 2024 ISO 27001 & 22301
Replies: 1
0 0

Statement of Acceptance of Residual Risks
mark950 Created:   Jan 18, 2024 ISO 27001 & 22301
Replies: 1
0 0

Automated Firewall Review