Best practice for residual risk?
Assign topic to the user
No - there is no best practice because each company needs to determine their acceptable level of risk based on the methodology, based on the industry they are in, based on the management intention, etc. This article may help you: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
However, I noticed some inconsistencies in your calculation of risk: asset value is basically the same thing as the impact, so you calculate the same value twice in your risk which is unnecessary; further, you calculate both likelihood and vulnerability, however vulnerability is (together with the threat) part of calculating the likelihood - again you have duplication.
Thi s article will help you with defining the formula: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Comment as guest or Sign in
Apr 01, 2016