Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Initial Risk Assessment Non-conformity

  Quote
Guest
Guest user Created:   Oct 25, 2023 Last commented:   Oct 25, 2023

Initial Risk Assessment Non-conformity

At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.

Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment.  What is the reasoning behind this?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 25, 2023

Please note that, when performing risk assessment, if an assessed risk takes into account controls already in place at the time of the assessment, it is important to document this information so anyone who reads the assessment can have the same understanding (otherwise, other persons will interpret the assessment with incomplete information).

In Conformio, for each risk entry, you have a comment field where you can add information about which controls were already in place at the time of the assessment. This is the justification for assessing the risk as low.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 25, 2023

Oct 25, 2023

Suggested Topics

Lajvar Created:   Apr 29, 2024 ISO 27001 & 22301
Replies: 1
0 0

Risk treatment plan

Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations