Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Evaluation of the impact of the identified risks

I wonder if the evaluation of the impact of the identified risks and impact assessment process using the same criteria and the same tolerance, or is there a difference and what happens when we evaluate a process that can generate high impact, but when the assessment of these risks are unlikely, and the residual risk is low.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

To calculate the risk, you have to assess two main components: impact and likelihood. In most cases the scales for those two components are the same (e.g. low-medium-high for both, or 1 to 5 for both).

However, if you assess business continuity risks, you can add additional weight to high impact if you feel this will better represent the resulting risk - in other words, you are free to set you risk assessment methodology as you see fit.

Regarding the acceptable level of risk, it is set for the risk itself, not separately for the components (impact and likelihood).

This article may help you: H ow to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community