Guest user Created: Jul 15, 2022 Last commented: Jul 15, 2022

Does risk treatment table need to be separate from risk assessment table?

Does the risk treatment table need to be separate from the risk assessment table? It seems to me that columns on treatments and treated risk values can be added to the unacceptable risks in the risk assessment table and this can avoid duplication. What do you think?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jul 15, 2022

ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.

Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.

Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.

For further information, see:

ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 15, 2022

Expert Advice Community