Appendix 3 of Risk Assessment
I hope you have time to just fill in the blanks here, we did a risk assessment on mobile devices specific, we were 4 people from different departments initiating this workshop to identify the risks for mobile devices.
I get the feeling the assessment report is made for all of the assessments we are doing or like in our case we do it on several type of areas, like mobile devices.
We identified four risks, we had 1 with the value 3 but we still accepted that risk and no other change was made in the appendix 2, in other words, we did not lower the risk value in this case.
And to complete this risk we need to document this in 3 different files, Appendix 1, 2 and 3 (final report).
Can you help me figure out this last part?
Assign topic to the user
Considering your stated scenario (i.e., all four risks identified as acceptable), the documents will be filled in as follows:
- Risk Assessment Table (Appendix 1): the four risks must be filled in
- Risk Treatment Table (Appendix 2): no need to include these risks
- Risk Assessment and Treatment Report: no need to include these risks
The main content of the Risk Assessment and Treatment Report does not include the risks themselves, only a description of the used methodology and when it was applied. The risks are listed in Its annexes, the abovementioned Risk Assessment Table and the Risk Treatment Table.
Please note that finding only 4 risks for mobile devices is probably a too low number, and this might be challenged at the certification audit especially if all of these risks are acceptable.
By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the Risk Assessment and Risk Treatment tables.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 12, 2021