Quantity of risks
Assign topic to the user
Considering that you will still receive inputs from your technical people, as a starting point, ~200 risks, with ~15% of them to be treated is a good scenario.
Please note that the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.
An additional thing to note is that risks for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.
Comment as guest or Sign in
Feb 13, 2022