Performing risk assessment
Assign topic to the user
So I guess my question is, if in the risk assessment the risk level is a 1 or a 2 can i still put in a control? and would it be a risk acceptance or selection of control under selection of options? Another example would be if the level of risk is a 1 or a 2 and it is an accepted risk but i want to make the treatment method stronger... would i still put risk acceptance and then select a control or just selection of control?
Answer: If during the risk assessment you identify that risks are acceptable because there are already implemented controls, you should mention the related controls in the Risk Assessment Table, column J (Existing Controls), and there is no need to transfer those risks to the Risk Treatment Table, unless you decide to include additional controls to treat these risks, or make improvements on the controls already implemented.
If you decide to include an already acceptable risk in the risk treatment table (because you want to improve a control or add a new one), there is no much sense to choose the option "risk acceptance", because this option means you intend to make changes now.
Included in the toolkit you bought you have access to a video tutorial that can help you perform the risk assessment and treatment.
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Jan 25, 2018