Question on risk assessment
One thing that I cannot understand is why we do need to maintain 2 separate documents, 1 for Risk assessment and 1 for Risk treatment. Let’s say, I have a Risk assessment excel spreadsheet containing 500 rows representing each risk which I maintain and keep updated accordingly (risk identification+ analysis + calculation is always completed).
Now I need to transfer all those 500 Risks to another excel spreadsheet to determine what are those appropriate controls that can put in place in order to treat risks respectively.
My question is whether I can have a merged/combined document to maintain including for both tasks. I have my Risk assessment excel document with all required columns (risk identification+ analysis + calculation, etc.), and what I need is to add another 5-6 extra columns required by the Risk treatment plan and have them all in one. Is this right?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe how to document risk assessment and risk treatment information, so organizations are free to document them as they see fit.
Our recommendation is to keep this information in separate documents because the list of treated risks is in general much smaller than the total list of assessed risks.
Keeping these assessed and treated risks in a single document, to avoid duplication, would only make it unnecessarily big and complex to read.
For further information, see:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
I really appreciate the support you’ve given me. One more clarification please. Can you give me some more information about the risks I need to include/present in my Risk treatment plan? I mean, do I need to have them all? Low, moderate high?
Please note that the purpose of the Risk Treatment Plan is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc., so you do not need to present any risks in the Risk Treatment Plan
For further information, see:
- Risk Treatment Plan vs. risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section19
Comment as guest or Sign in
Oct 06, 2022