Problem in describing risks
Assign topic to the user
ISO 27001:2013 does not require risk description, what it does require in clause 6.1.2 c) 1) is to identify the risks - the asset-based methodology we are using in the toolkit is the most widely used methodology for identifying the risks. Actually, this was a mandatory methodology by the previous 2005 revision of ISO 27001, and is still in use in most of the companies.
So, if you have identified all the assets and their related threats and vulnerabilities, then I would challenge this auditor and ask him to reference to a clause of the standard that requires the "description".
If you want, you can send me your Risk assessment table to my email and I'll review it, just to make sure it is done properly.
Comment as guest or Sign in
Jun 22, 2016