Does risk treatment table need to be separate from risk assessment table?
Assign topic to the user
ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.
Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.
Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.
For further information, see:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
Comment as guest or Sign in
Jul 15, 2022