Performing risk assessment

I am not sure if I should be defining in terms of HOW LIKELY each supplier may be to let us down in some way , or THE IMPACT of a supplier letting us down.

For example. FIRE; Likely hood of our fire alarm supplier letting us down is very low as they are a reputable supplier who do regular maintenance visits, but the IMPACT should a fire destroy our office would be very HIGH.

Similarly, With Firewall provider; likely hood of issue is low but impact would be very high. Which way do I need to look at each supplier in order to define risk?

Answer: The definition of risk is a combination of likelihood and probability, so you must consider both aspects in your risk assessment.

Since you stated you are using the scale low-medium-high, then possible combinations for likelihood vs. impact are low-low, high-high, low-high, high low.

Considering these combinations you may defined that for a result low-low the risk is acceptable and do nothing. For combination high-high the risk is unacceptable and security controls must be defined and implemented. As for combinations low-high and high-low you should check then in a case by case basis considering the identified impact to make a decision to treat or not the risk.

These articles will provide you further explanation about performing risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding performing risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/