Expert Advice Community

Guest

Questions about risk

  Quote
Guest
Guest user Created:   Oct 06, 2020 Last commented:   Oct 06, 2020

Questions about risk

1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls

2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities -  in relation to ISMS
b. What are the actions to address opportunities

3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?

0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 06, 2020

1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls

ISO 27001 does not prescribe an expected risk level for residual risk. The residual risk will depend on the organization's risk appetite (the greater the risk appetite, the higher may be the residual risk), or on the availability of resources to implement controls to further decrease the risk bellow acceptance level.
 
In your example, the residual risk can be either bellow, equal, or above the value 3.
 
For further information, see:  

2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities -  in relation to ISMS

For ISO 27001, an opportunity is a situation, or set of circumstances, that makes it possible to do something that will increase the performance of the ISMS or prevent a problem too. The second circumstance was known as a preventive action in previous versions of the standard. 
 
For example, using the existent internal newsletter to raise awareness about preventing security incidents is an example of opportunity (you do not need to spend the effort to create a whole new information channel if you can use an existent one).  

b. What are the actions to address opportunities

One easy way to address opportunities is by documenting such actions in your Management review minutes, in corrective actions, or any other records or documents that you use in your company (for example actions agreed through email).

3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?

The frequency for the occurrence of an activity/process is the most common way to determine likelihood, but you also need to consider the competence of the personnel performing the activity/process (i.e., less competence personnel performing them will increase the likelihood of risk occurrence), as well as the resources used (e.g., using low-quality equipment, or bellow manufacturer specifications can increase likelihood of risk occurrence). 
 
For further information, see:

This material will also help you regarding risk management:

Quote
0 1
Guest
Macharia Oct 06, 2020

Thanks alot for your response. Indeed you have addressed issues left vague by the standard, especially on the opportunity.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 06, 2020

Oct 06, 2020

Suggested Topics