ISO 27001 Internal Auditor Exam - Expert Question
Do you add or multiply to find risk? For the risk assessment to you add or multiply the impact and likelihood of risk? ISO 27001 under risk assessment the 3rd module called risk assessment it has a chart that has them added together and on the video he states they can be added or multiplied. So I wanted to clarify, is it actually both if they ask on the exam?
Assign topic to the user
ISO 27001 does not prescribe how to relate impact and likelihood to define risk, so both approaches are acceptable.
For further information, see:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
Comment as guest or Sign in
Jun 29, 2022