Bills Created: May 07, 2019 Last commented: May 08, 2019

How to Monitor/Update the Risks in Risk Register?

Hi, I have implemented ISMS and have a risk register with all the risk( High, Medium and Low). It's being a year now that I have not updated the Risk Register and also new risk is there to be added. My question is how should I update and add/remove risks in the register? 1)Should I update the sheet with the revision number? 2) Should I remove the risks which already mitigate and are in the residual risk category? 3) Should I keep on adding new risks and keep all the old risks intact? My concern is since the risk assessment in a PDCA cycle and new risks will emerge every day, how should I maintain my risk register? Please advise Thanks

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic May 08, 2019

Here are the answers:
1) ISO 27001 does not prescribe how to version your risk register - therefore, you can use a new version number and/or you can simply use a date to define the latest version.
2) You should keep all your risks in the risk register, even though they are mitigated - of course, this means that the risk level for such risks will be lower.
3) You should definitely add new risks; you should retain “old” risks if they still exist however you need to assess again their likelihood and impact.
4) You should update your risk register at least once a year, but also more often if there is some big change - e.g. new product, new technology, new process, change in the environment, etc.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 07, 2019

May 08, 2019

Expert Advice Community