Expert Advice Community

Guest

Question on risk assessment

  Quote
Guest
Guest user Created:   Oct 04, 2022 Last commented:   Oct 06, 2022

Question on risk assessment

One thing that I cannot understand is why we do need to maintain 2 separate documents, 1 for Risk assessment and 1 for Risk treatment. Let’s say, I have a Risk assessment excel spreadsheet containing 500 rows representing each risk which I maintain and keep updated accordingly (risk identification+ analysis + calculation is always completed).

Now I need to transfer all those 500 Risks to another excel spreadsheet to determine what are those appropriate controls that can put in place in order to treat risks respectively.

My question is whether I can have a merged/combined document to maintain including for both tasks. I have my Risk assessment excel document with all required columns (risk identification+ analysis + calculation, etc.), and what I need is to add another 5-6 extra columns required by the Risk treatment plan and have them all in one.  Is this right?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 04, 2022

ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.

Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.

Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.  

For further information, see:

Quote
0 0
Guest
Guest user Oct 04, 2022

I really appreciate the support you’ve given me.  One more clarification please. Can you give me some more information about the risks I need to include/present in my Risk treatment plan? I mean, do I need to have them all? Low, moderate high?

Quote
0 0
Expert
Rhand Leal Oct 06, 2022

Please note that the purpose of the Risk Treatment Plan is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc., so you do not need to present any risks in the Risk Treatment Plan

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 04, 2022

Oct 06, 2022