Help for maintaining a risk register
I'm helping a organisation with their ISO27001 work.
I've seen the instructions on how to setup the riskregister which seems easy but do you have any instructions on how to work with the risk register the upcoming years and cycles after certification. (our mutal customer has implemented and certified ISO27001 in yoor tool)
It looks like you need to go through the process all over again to reach the register and all risks seems to get the riskvalus zero after a plan.
I'm looking to se the progress of making the risk smaller, filter and work with all risks in prioritization order which the auditors demand.
Can you guide me to any information, manual or video on how to work with the register after implemantation? (Or are you supposed to extract it and work in excel or alike)
Assign topic to the user
1 - I've seen the instructions on how to setup the risk register which seems easy but do you have any instructions on how to work with the risk register the upcoming years and cycles after certification.
(our mutual customer has implemented and certified ISO27001 in your tool)It looks like you need to go through the process all over again to reach the register.
Answer: First of all, thanks for the feedback.
Once you have performed the first risk assessment and treatment, you can access the Risk Register Module, and by clicking the “Edit Risk Register” button you can perform one or both of the following actions:
Update the current information of approved risks (i.e., update the risk value and/or risk owner).
Create a new risk (i.e., define risk, the risk value and risk owner), by clicking the “Add new risk button”.
Once you have updated approved risks and/or created new risks, by clicking the next button in the left-side part of your screen, you can proceed to the review of changes, and after that for the reviewed risks, the definition of risk treatment and approval of the risks and treatments.
As you can see, in case of only reviewing risks, the effort is smaller, because you will be only updating the risk value and/or risk owner in the assessment phase (all other steps need to be performed).
2 - all risks seem to get the risk values zero after a plan.
Answer: Regarding residual risks being zero, this is probably because you have decided to apply several different controls to treat each risk, and this approach really results in a great decrease in risk, because some controls work over consequence while others work on the probability of a risk occurring.
3 - I'm looking to see the progress of making the risk smaller,
Answer: To work in the way you described, we suggest you, when adding new risks, or reviewing treatment of already approved risks, to implement only one control each time and see its effect on the risk, and after that add new controls and see their combined effect.
4 - filter and work with all risks in prioritization order which the auditors demand.
Answer: Regarding risk prioritization and filtering, please note that an auditor should not demand a specific prioritization. Risk treatment prioritization is an organizational decision, based on its context and risk appetite. Regarding that, what the auditor can do is require you to explain which criteria you used to prioritize them and evaluate if these criteria make sense to your ISMS.
The auditor can at most suggest a prioritization (the organization can evaluate the suggestion and follow it or not according to its need).
5 - Can you guide me to any information, manual or video on how to work with the register after implementation? (Or are you supposed to extract it and work in excel or alike)
Answer: You can schedule an online meeting with one of our experts so he can guide you on performing a risk review by accessing this link: https://advisera.com/consultations/.
Comment as guest or Sign in
Jun 29, 2023