ISO 27001 Risk Monitoring

From your question it is not clear from where you are gathering the data for reviewing the risk assessment sheet, but your way is one of the alternatives to perform risk monitoring.

Other way to perform risk monitoring is through periodic process performance evaluation or during management review, when you consider recorded events, incidents and non-compliances, processes performance results, and changes on the context of the organization.

All these inputs can show trends on risks that may require risks on the risk assessment to be adjusted to fix it, either by means of including/excluding risks, changing probability and/or impact values of existent risks, or by changing the treatment or controls for those risks.

If your organization already performs performance evaluations and management reviews on a regular basis, then maybe you should consider review the risk assessment sheet within a greater interval, using as input the results of these evaluations and reviews. This way you can decrease the effort on versioning the risk assessment sheet.

These articles will provi de you further explanation about monitoring:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Thanks Rhand for the reply. I agree with you that the performance evaluation should provide input to the risk monitoring. But what if a there is a high risk which is related to a critical asset and it is not related to performance evaluation? I mean risk register has many risk which are not related to performance evaluation neither to the management review, what can be done in that case.?
Also can u please elaborate on performance evaluation and how to do it ? For my understanding I am conducting internal audits , management review by ISGC meetings wherein I present to ISGC what is the status if IS program with the number of reduced incidents and risk.
How can management review help me monitor risk?
Thanks

1 - I agree with you that the performance evaluation should provide input to the risk monitoring. But what if a there is a high risk which is related to a critical asset and it is not related to performance evaluation? I mean risk register has many risk which are not related to performance evaluation neither to the management review, what can be done in that case.?

Answer: You can define specific reviews only for the risks with high value that fits the conditions you stated. This way you won't have to review all the risks on the risk assessment table. It is important to note that these situations you stated are not common, because in general high risks are treated by application of controls, that are part of a process that can be monitored and evaluated. The situations you described very often are associated with accepted risks (where the cost to decrease the risk is considered to high and no action is performed).

2 - Also can u please elaborate on performance evaluation and how to do it ? For my understanding I am conducting internal audits , management review by ISGC meetings wherein I present to ISGC what is the status if IS program with the number of reduced incidents and risk.

Answer: For performance evaluation you can understand as the periodic review performed by the process owner or by the head of the department where the process is realized. It is the control activity performed by the people who perform and are responsible for the process, and because of this it can be performed on a much shorter cycle. Internal audit is the second level of control, where people outside the process evaluate it.

3 - How can management review help me monitor risk?

Answer: Top management has a systemic view of the business, and normally access to external or sensible information not available to lower levels of the organization that can help identify situations that can affect risk. For example, the decision to enter a new market with new regulations to be compliant with, or reports about trends of competitors.