SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Appendix 3 of Risk Assessment

Guest

Appendix 3 of Risk Assessment

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Feb 12, 2021 Last commented:   Feb 12, 2021

Appendix 3 of Risk Assessment

ISO 27001 & 22301

I hope you have time to just fill in the blanks here, we did a risk assessment on mobile devices specific, we were 4 people from different departments initiating this workshop to identify the risks for mobile devices.

I get the feeling the assessment report is made for all of the assessments we are doing or like in our case we do it on several type of areas, like mobile devices.

We identified four risks, we had 1 with the value 3 but we still accepted that risk and no other change was made in the appendix 2, in other words, we did not lower the risk value in this case.

And to complete this risk we need to document this in 3 different files, Appendix 1, 2 and 3 (final report). 

Can you help me figure out this last part?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Feb 12, 2021

Considering your stated scenario (i.e., all four risks identified as acceptable), the documents will be filled in as follows:
- Risk Assessment Table (Appendix 1): the four risks must be filled in
- Risk Treatment Table (Appendix 2): no need to include these risks
- Risk Assessment and Treatment Report: no need to include these risks

The main content of the Risk Assessment and Treatment Report does not include the risks themselves, only a description of the used methodology and when it was applied. The risks are listed in Its annexes, the abovementioned Risk Assessment Table and the Risk Treatment Table.

Please note that finding only 4 risks for mobile devices is probably a too low number, and this might be challenged at the certification audit especially if all of these risks are acceptable.

By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the Risk Assessment and Risk Treatment tables. 

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 12, 2021

Feb 12, 2021

Suggested Topics
KevinC Created:   Mar 17, 2020 ISO 27001 & 22301
Replies: 1
0 0

Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets
Guest user Created:   May 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

Questions
Guest user Created:   Jan 18, 2023 ISO 27001 & 22301
Replies: 1
0 0

Asset Owner