Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:

Expert Advice Community


Question regarding ISO 27001 risk assessment process

Guest user Created:   Aug 07, 2020 Last commented:   Aug 07, 2020

Question regarding ISO 27001 risk assessment process

Dear Dejan,

In February 2020 I bought the Advisera ISO 27001 tool kit and I am now making good progress with the ISO 27001 project.

Currently, I am working on the Risk Assessment in your excel file template.

Our company has 35 employees and we operate as a service provider in the field of real estate investment management for institutional clients.

At this point I have identified 191 threats for various assets in our company. Out of these 191 threats only 35 are categorized as „unacceptable“ risks.

Somehow I fear that this number may be too low and my risk assessment may be too optimistic.

Do you have any thoughts on my numbers?

Thank you very much in advance for your help.

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Aug 07, 2020

First is important to note that ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Additionally, I'm assuming that, in your statement, by "threats" you mean risks ("threats" are components of risks, like assets and vulnerabilities, not the risks themselves).

Considering that, the number of risks you mentioned, 191, is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

Regarding the relation between unacceptable risks and total of identified risks, a good reference to be used is the 20/80 relation, i.e., 25% of the total risks as unacceptable risks, and your relation is almost there (35/191 = 18,32%).

It is more important to note that you should be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity.

The single point you need to pay attention to is to not overlook obvious risks, i.e., the risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/knowledgebase/how-to-assess-consequences-and-likelihood-in-iso-27001-risk-analysis/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/

0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 06, 2020

Aug 07, 2020