Information Security Risk Assessment and Risk Treatment
1. What happens if all controls (Existing and additional control(based on Annex A) are implemented? Does it mean we entirely remove the risk from the register - yet based on the activities there are chances of the risk taking place?
2. How often should an organization undertake risk assessment and risk treatment
3. When should one calculate the residual risk? Should it determine the risk assessment process of the subsequent year?
4. Is there any template that you can share for risk assessment and treatment, with criteria and like hood, etc.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. What happens if all controls (Existing and additional control(based on Annex A) are implemented? Does it mean we entirely remove the risk from the register - yet based on the activities there are chances of the risk taking place?
The risk register is the evidence that relevant risks were identified, so you cannot remove them after controls are implemented. What you do is update the risk value from the initially identified one to the new risk value considering the implemented controls (these are the residual risks). In case the risks you identified already take into account already existent controls, you need to state the existing controls associated with the risk.
For further information, see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2. How often should an organization undertake risk assessment and risk treatment
ISO 27001 does not prescribe how often to perform a risk assessment and risk treatment, but in general, organizations perform them once a year, of every time there is a significant change in the organization.
3. When should one calculate the residual risk? Should it determine the risk assessment process of the subsequent year?
The residual risk should be estimated after the definition of controls to be applied to treat the risk and reviewed after the related controls have been implemented (to confirm if the estimation is correct, or if any adjustment is needed).
4. Is there any template that you can share for risk assessment and treatment, with criteria and like hood, etc.
To see how a risk assessment and risk treatment documentation compliant with ISO 27001 looks like, I suggest you take a look at the free demo of our Risk Assessment Toolkit at this link: https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/
Thank you for your reply
Are the risk treatment options limited to the four discussed in your publication?
Is there conventional risk acceptance criteria, based on likelihood and consequence?
Is treatment options generated from risk acceptance criteria?
How can I join your community...to review issues relating to 27001...tried to sign in but it's impossible...can only comment as a guest?
1. Are the risk treatment options limited to the four discussed in your publication?
I'm assuming you are referring to the book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Considering that, risk acceptance, risk avoidance, risk mitigation, and risk transfer are the most common and used treatments, but regarding ISO 27001 you can use other approaches you may find useful.
2. Is there conventional risk acceptance criteria, based on likelihood and consequence?
Common types of risk acceptance criteria involve financial, brand, and legal aspects, but there are no conventional details, like the range of financial values, because these details will depend on the business objectives and its tolerance to risks (e.g., for organizations with low tolerance to risk, the acceptable financial impact of risk will be lower than for organizations with high tolerance to risk)
For further information, see:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
3. Is treatment options generated from risk acceptance criteria?
No. Treatment options are based on the identified risk and your available resources. The risk criteria will give you an idea about how much resources you should consider, but they do not define them.
For further information, see:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
4. How can I join your community...to review issues relating to 27001...tried to sign in but it's impossible...can only comment as a guest?
In order to post comments on our Expert Advice Community, you need to create an account at this link: https://community.advisera.com/sign-up/
After that, you will be able to log in and post questions and search for other topics you are interested in.
Comment as guest or Sign in
Sep 24, 2020