Expert Advice Community

Home / ISO 27001 & 22301 / Contents of the Risk assessment report

Guest

Contents of the Risk assessment report

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   May 17, 2016 Last commented:   May 17, 2016

Contents of the Risk assessment report

ISO 27001 & 22301
Can you confirm if the Risk Assessment Report should contain all the results of risk assessment (ie acceptable risks and non-acceptable risks? based on the risk values that have been deduced? And the risk appetite of the business
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.

ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT

Document the results of the risk management process.
Expert
Dejan Kosutic May 17, 2016

Answer:

ISO 27001 doesn't specify the contents of the Risk assessment report, it only says that the results of the risk assessment and risk treatment process need to be documented - this means that whatever you have done during this process needs to be written down.

Typically it includes all the risks that were identified, risk owners, their impact and likelihood, level of risk, risks that are not acceptable, and treatment options for each unacceptable risk. The risk appetite (i.e. acceptable level of risk) should be specified in the Risk assessment methodology, but yes - you can mention it in the Risk assessment report as well.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 16, 2016

May 16, 2016

Suggested Topics
Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 0
0 0

Risk treatment plan
Atheer AlMartan Created:   Feb 11, 2024 ISO 27001 & 22301
Replies: 1
0 0

Statement of Acceptance of Residual Risks
Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations