Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Example of a completed Risk Assessment Table

  Quote
Guest
Guest user Created:   Oct 01, 2020 Last commented:   Oct 14, 2020

Example of a completed Risk Assessment Table

Do you have an example of a completed Risk Assessment Table I could look at please. I am interested particularly in the numbering system. It seems to me the numbering should run by asset not by vulnerability, so 1.1, 1.2 etc until next asset.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 01, 2020

ISO 27001 does not prescribe a numbering system for the risk assessment table, so organizations are free to use the numbering system that best suits them.

Although your proposed numbering system is acceptable, in our understanding, the easiest way is to use a simple numbering system identifying the risks themselves (i.e., each set of asset-threat-vulnerability) (e.g., risk numbers 12, 22, 34, 47, etc.). Trying to number the risks considering their composing elements individually will only make the risks assessment table unnecessarily complex.

By the way, included in your toolkit you have access to a video tutorial that can guide you on filling in the risk assessment table, using examples with real data.

Quote
0 0
Guest
Guest user Oct 01, 2020

The Risk Assessment Table will take some time to complete of course and requires whole of business inputs. Can I carry on with the other documents or must I pause here until the RAT and Risk Treatment Tables are completed?

Quote
0 0
Expert
Rhand Leal Oct 02, 2020

Our recommendation is for you to finish the risk assessment and risk treatment process before developing other documents, to minimize risks of developing documents not needed (because you may not have relevant risks to justify related controls) or reworking on developed documents because you did not cover relevant risks properly.

Quote
0 0
Dominic Oct 14, 2020

Thanks @Rhand Leal. I will use the numbering you propose. Do you in any case have an example of a completed RAT I could look at?

ISO 27001 does not prescribe a numbering system for the risk assessment table, so organizations are free to use the numbering system that best suits them.

Although your proposed numbering system is acceptable, in our understanding, the easiest way is to use a simple numbering system identifying the risks themselves (i.e., each set of asset-threat-vulnerability) (e.g., risk numbers 12, 22, 34, 47, etc.). Trying to number the risks considering their composing elements individually will only make the risks assessment table unnecessarily complex.

By the way, included in your toolkit you have access to a video tutorial that can guide you on filling in the risk assessment table, using examples with real data.

Quote
0 0
Expert
Rhand Leal Oct 14, 2020

For an example of Risk Assessment and Risk Treatment I suggest you take  look at this paper:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 01, 2020

Oct 14, 2020

Suggested Topics

Guest user Created:   Mar 12, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk management

Guest user Created:   Mar 10, 2018 ISO 27001 & 22301
Replies: 1
0 0

List of evidences / artefacts