Dear Dejan,
In February 2020 I bought the Advisera ISO 27001 tool kit and I am now making good progress with the ISO 27001 project.
Currently, I am working on the Risk Assessment in your excel file template.
Our company has 35 employees and we operate as a service provider in the field of real estate investment management for institutional clients.
At this point I have identified 191 threats for various assets in our company. Out of these 191 threats only 35 are categorized as „unacceptable“ risks.
Somehow I fear that this number may be too low and my risk assessment may be too optimistic.
Do you have any thoughts on my numbers?
Thank you very much in advance for your help.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.
Additionally, I'm assuming that, in your statement, by "threats" you mean risks ("threats" are components of risks, like assets and vulnerabilities, not the risks themselves).
Considering that, the number of risks you mentioned, 191, is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.
Regarding the relation between unacceptable risks and total of identified risks, a good reference to be used is the 20/80 relation, i.e., 25% of the total risks as unacceptable risks, and your relation is almost there (35/191 = 18,32%).
It is more important to note that you should be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity.
The single point you need to pay attention to is to not overlook obvious risks, i.e., the risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.
An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.
These articles will provide you a further explanation about risk assessment and treatment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/
Comment as guest or Sign in
Aug 07, 2020