Performing Risk Assessment and Treatment

Answer: I assume you are referring to the Risk Assessment Table and the criteria provided in the Risk Assessment and Treatment Methodology document. The existing controls must have to be taken into account when determining the total risk, and they must be informed in the "Existing Controls" column from the Risk Assessment Table.

2 - For example, if I do consider existing controls and assume they are good enough so that when combined with impact the total risk is 0, 1, or 2 – which I have defined as acceptable – would I have to write anything in “Means of implementation” on the Risk Treatment Table?

Answer: If a risk you identified in the Risk Assessment Table already has a control implemen tend to treat it, you only would have to include it in the Risk Treatment Table if the existing control needs to be improved. Otherwise, you can keep the record only in the Risk Assessment Table.

3 - If the existing control that I have judged to be strong is a control that directly matches a control in the ISO Appendix A, do I say on the Statement of Applicability that it is applicable?

Answer: Yes, if you can macth the implemented control with a control in the ISO 27001 Appendix A, you can state that that control is applicable in the Statement of Applicability.

4 - Do my questions make sense?

Answer: Yes, your questions make all sense, and your perception of what should be done is right. :)

These materials will also help you performing the risk assessment and treament:

- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/