Expert Advice Community

Guest

Does risk treatment table need to be separate from risk assessment table?

  Quote
Guest
Guest user Created:   Jul 15, 2022 Last commented:   Jul 15, 2022

Does risk treatment table need to be separate from risk assessment table?

Does the risk treatment table need to be separate from the risk assessment table?  It seems to me that columns on treatments and treated risk values can be added to the unacceptable risks in the risk assessment table and this can avoid duplication.  What do you think?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 15, 2022

ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.

Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.

Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.  

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 15, 2022

Jul 15, 2022

Suggested Topics