Internal and external issues and interested parties in ISO 27001
Assign topic to the user
When ISO 31000 says that the risk assessment starts with the identification if Issues, then how to proceed?
I am sorry, but ISO 31000 does not say specifically that the risk assessment starts with the identification of issues (I suppose that you mean this). In accordance with ISO 31000 (clause 5.4.1 General): "Risk assessment is the overall process of risk identification, risk analysis and risk evaluation". And in the clause 5.4.2 Risk identification, you can read "The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences". So, you can start the risk assessment with the risk identification, after you can continue with the risk analysis and finally you can continue with the risk evaluation.
Anyway, if you are interested in the identification of issues, this article can be interesting for you "Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Comment as guest or Sign in
Jan 12, 2016