Listing mitigated risks in RAT
1 – In the RAT, presumably I do not list risks that are already mitigated?
2 – Is it possible to see an example of a real and completed RAT, preferably for a SaaS business?
Assign topic to the user
1 – In the RAT, presumably I do not list risks that are already mitigated?
When performing Risk Assessment and Treatment you need to include every risk you understand as relevant, even if there are controls already implemented to treat them.
If you already have controls implemented, you should consider their effects on the risk value, so that your risk assessment table reflects the current situation of your environment. The existing controls should be included in the "Existing Controls" column in your Risk Assessment Table template.
By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.
These articles will provide you a further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
These materials will also help you regarding risk assessment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Free webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
2 – Is it possible to see an example of a real and completed RAT, preferably for a SaaS business?
Unfortunately, we do not have example documents we can disclose due to confidentiality agreements with our customers.
By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the risk assessment and risk treatment templates.
For examples of risk assessment, I can suggest you these materials:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
May 07, 2021