Expert Advice Community

Guest

Appendix 3 of Risk Assessment

  Quote
Guest
Guest user Created:   Feb 12, 2021 Last commented:   Feb 12, 2021

Appendix 3 of Risk Assessment

I hope you have time to just fill in the blanks here, we did a risk assessment on mobile devices specific, we were 4 people from different departments initiating this workshop to identify the risks for mobile devices.

I get the feeling the assessment report is made for all of the assessments we are doing or like in our case we do it on several type of areas, like mobile devices.

We identified four risks, we had 1 with the value 3 but we still accepted that risk and no other change was made in the appendix 2, in other words, we did not lower the risk value in this case.

And to complete this risk we need to document this in 3 different files, Appendix 1, 2 and 3 (final report). 

Can you help me figure out this last part?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 12, 2021

Considering your stated scenario (i.e., all four risks identified as acceptable), the documents will be filled in as follows:
- Risk Assessment Table (Appendix 1): the four risks must be filled in
- Risk Treatment Table (Appendix 2): no need to include these risks
- Risk Assessment and Treatment Report: no need to include these risks

The main content of the Risk Assessment and Treatment Report does not include the risks themselves, only a description of the used methodology and when it was applied. The risks are listed in Its annexes, the abovementioned Risk Assessment Table and the Risk Treatment Table.

Please note that finding only 4 risks for mobile devices is probably a too low number, and this might be challenged at the certification audit especially if all of these risks are acceptable.

By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the Risk Assessment and Risk Treatment tables. 

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/rols-plain-english/risk-management-in-plain-english/

This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/01academy/emy/ademy/my/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 12, 2021

Feb 12, 2021