Expert Advice Community

Guest

ISO 27001 Risk Assessment

  Quote
Guest
Guest user Created:   Feb 04, 2021 Last commented:   Feb 04, 2021

ISO 27001 Risk Assessment

When initially identifying risks in a Risk Assessment, is the assessment done based on existing and implemented controls or is it as if no controls are currently implemented? For example:  If the Threat is fire in an office building, would the Vulnerability be “no fire protection” even if the building already has fire extinguishers and a sprinkler system? Or, should fire not be listed in the Risk Assessment since it’s no longer identified as being a Threat?  Thank you.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 04, 2021

First is important to note that you need to include in the risk assessment every risk you understand as relevant, even if there are controls already implemented to treat them.

If you already have controls implemented, you should consider their effects on the risk value, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column.

By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

These articles will provide you a further explanation about risk assessment:

These materials will also help you regarding risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 04, 2021

Feb 04, 2021