ISO 27001:2022 implementation issue
I want to ask about establishing risk acceptance criteria in clause 6 - 6.1.2 and if there is any sample can i view in order to complete creating my system, which is related to a cloud-based software solutions company
Assign topic to the user
The definition of the risk acceptance criteria will depend on how you calculate risk value.
For example, if your method of risk calculation produces values from 2 to 10, then you can decide that an acceptable level of risk is, e.g., 7 – this would mean that only the risks valued at 8, 9, and 10 need treatment.
Alternatively, you can examine each individual risk and decide which should be treated or not based on your insight and experience, using no pre-defined values.
For further information, see:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
Comment as guest or Sign in
May 26, 2023