Expert Advice Community

Home / ISO 27001 & 22301 / How detailed should be the risk assessment?

Guest

How detailed should be the risk assessment?

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Apr 12, 2016 Last commented:   Apr 12, 2016

How detailed should be the risk assessment?

ISO 27001 & 22301
1) Does the risk assessment need to be so detailed?
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.

ISO 27001 RISK ASSESSMENT AND RISK TREATMENT METHODOLOGY

Define main rules for risk assessment and treatment.
Expert
Dejan Kosutic Apr 12, 2016

Answer: No, in most cases people tend to over-complicate the risk assessment - essentially, ISO 27001 requires you only the following 5 elements:
- Identifying the risk
- Risk owner
- Risk impact
- Risk likelihood
- Level of risk

Therefore, if you want your risk assessment to be simple, you just need to limit it to these 5 elements. This article will explain you how to do it: How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

2) What are the points more relevant to perform the risk assessment in a consistent way?

Besides having a clear risk assessment methodology, you have to perform all the 6 steps in the risk assessment process - see this article for explanation: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 12, 2016

Apr 12, 2016

Suggested Topics
Guest user Created:   Dec 03, 2018 ISO 27001 & 22301
Replies: 1
0 0

ISO and COBIT
Anna Browne Created:   Feb 13, 2025 ISO 27001 & 22301
Replies: 0
0 0

Edit Risk register
Evelin Created:   Jun 12, 2024 ISO 27001 & 22301
Replies: 3
0 0

How comprehensive and specific should we describe the implementation methods in SoA?