Expert Advice Community

Guest

Quantity of risks

  Quote
Guest
Guest user Created:   Feb 13, 2022 Last commented:   Feb 13, 2022

Quantity of risks

Good day Dejan, I hope things are going well in your part of the world? We at *** are slowly working on our ISO27001 accreditation and would appreciate some guidance from you please. How does the attached Risk Table look for a small IT services company with ~15x people? When we spoke last, you suggested that we do the certification for our whole business as opposed to just our SOC portion, so I’ve considered elements from our offices, hosted customer environment and our new SOC. I’ve used ~50x of your standard assets, combined with your standard Threats and Vulnerabilities, and have come up with ~200x Risks. ~15% of these will need further attention later in the process based on their risk score. Are these risks and numbers appropriate, or do we need more / less / different? I don’t want to get too far ahead if this stage still needs more work. We still need to share it with our technical people who could very well raise some additional assets and associated threats, vulnerabilities and risks. I also don’t want to add too many risks if they are effectively trivial, but also want to demonstrate to an auditor later that we have applied our mind to the task. Would you be available for some feedback by email and/or online meeting in the next 2-3x weeks? 7x hours time difference to Perth so probably 9am your end / 4pm our end will work. Look forward to hearing from you.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 13, 2022

Considering that you will still receive inputs from your technical people, as a starting point, ~200 risks, with ~15% of them to be treated is a good scenario.

Please note that the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.

An additional thing to note is that risks for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 13, 2022

Feb 13, 2022

Suggested Topics

Guest user Created:   Nov 08, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment

Guest user Created:   Apr 23, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment

Guest user Created:   Mar 15, 2023 ISO 27001 & 22301
Replies: 1
0 0

Annual Audit Program