Example of a completed Risk Assessment Table
Do you have an example of a completed Risk Assessment Table I could look at please. I am interested particularly in the numbering system. It seems to me the numbering should run by asset not by vulnerability, so 1.1, 1.2 etc until next asset.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe a numbering system for the risk assessment table, so organizations are free to use the numbering system that best suits them.
Although your proposed numbering system is acceptable, in our understanding, the easiest way is to use a simple numbering system identifying the risks themselves (i.e., each set of asset-threat-vulnerability) (e.g., risk numbers 12, 22, 34, 47, etc.). Trying to number the risks considering their composing elements individually will only make the risks assessment table unnecessarily complex.
By the way, included in your toolkit you have access to a video tutorial that can guide you on filling in the risk assessment table, using examples with real data.
The Risk Assessment Table will take some time to complete of course and requires whole of business inputs. Can I carry on with the other documents or must I pause here until the RAT and Risk Treatment Tables are completed?
Our recommendation is for you to finish the risk assessment and risk treatment process before developing other documents, to minimize risks of developing documents not needed (because you may not have relevant risks to justify related controls) or reworking on developed documents because you did not cover relevant risks properly.
Thanks @Rhand Leal. I will use the numbering you propose. Do you in any case have an example of a completed RAT I could look at?
ISO 27001 does not prescribe a numbering system for the risk assessment table, so organizations are free to use the numbering system that best suits them.
Although your proposed numbering system is acceptable, in our understanding, the easiest way is to use a simple numbering system identifying the risks themselves (i.e., each set of asset-threat-vulnerability) (e.g., risk numbers 12, 22, 34, 47, etc.). Trying to number the risks considering their composing elements individually will only make the risks assessment table unnecessarily complex.
By the way, included in your toolkit you have access to a video tutorial that can guide you on filling in the risk assessment table, using examples with real data.
For an example of Risk Assessment and Risk Treatment I suggest you take look at this paper:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
Comment as guest or Sign in
Oct 14, 2020