Contents of the Risk assessment report
Assign topic to the user
Answer:
ISO 27001 doesn't specify the contents of the Risk assessment report, it only says that the results of the risk assessment and risk treatment process need to be documented - this means that whatever you have done during this process needs to be written down.
Typically it includes all the risks that were identified, risk owners, their impact and likelihood, level of risk, risks that are not acceptable, and treatment options for each unacceptable risk. The risk appetite (i.e. acceptable level of risk) should be specified in the Risk assessment methodology, but yes - you can mention it in the Risk assessment report as well.
Comment as guest or Sign in
May 16, 2016