Initial Risk Assessment Non-conformity
At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.
Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment. What is the reasoning behind this?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that, when performing risk assessment, if an assessed risk takes into account controls already in place at the time of the assessment, it is important to document this information so anyone who reads the assessment can have the same understanding (otherwise, other persons will interpret the assessment with incomplete information).
In Conformio, for each risk entry, you have a comment field where you can add information about which controls were already in place at the time of the assessment. This is the justification for assessing the risk as low.
Comment as guest or Sign in
Oct 25, 2023