Questions about risk
1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls
2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities - in relation to ISMS
b. What are the actions to address opportunities
3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?
Assign topic to the user
1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls
ISO 27001 does not prescribe an expected risk level for residual risk. The residual risk will depend on the organization's risk appetite (the greater the risk appetite, the higher may be the residual risk), or on the availability of resources to implement controls to further decrease the risk bellow acceptance level.
In your example, the residual risk can be either bellow, equal, or above the value 3.
For further information, see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities - in relation to ISMS
For ISO 27001, an opportunity is a situation, or set of circumstances, that makes it possible to do something that will increase the performance of the ISMS or prevent a problem too. The second circumstance was known as a preventive action in previous versions of the standard.
For example, using the existent internal newsletter to raise awareness about preventing security incidents is an example of opportunity (you do not need to spend the effort to create a whole new information channel if you can use an existent one).
b. What are the actions to address opportunities
One easy way to address opportunities is by documenting such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email).
3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?
The frequency for the occurrence of an activity/process is the most common way to determine likelihood, but you also need to consider the competence of the personnel performing the activity/process (i.e., less competence personnel performing them will increase the likelihood of risk occurrence), as well as the resources used (e.g., using low-quality equipment, or bellow manufacturer specifications can increase likelihood of risk occurrence).
For further information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Oct 06, 2020