ISMS & BCMS risk assessment
Our organization ERM & BCMS risk is 5 (impact) x 5 (likelihood), however the ISMS is 4 (impact) x 4 (likelihood), can we use both or it should be aligned. based on your audit experience, is it nonconformity or not.
Assign topic to the user
ISO 27001 does not prescribe how to evaluate risks, so you can choose the approach that better fits your needs.
Considering that, you can use different scales for your ERM & BCMS and ISMS. This difference is not a reason to raise a nonconformity, but the auditor may inquire the reason for using a different scale, since using a single scale can make your risk management process easier (you wouldn’t need to convert values to compare risks from different frameworks).
These articles will provide you a further explanation about risk assessment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Apr 21, 2021