Questions about risk assessment

Answer: I'm assuming you are referring to European 2017 Revision of ISO/IEC 27001. Considering that, this is an European version of ISO 27001, with minor adjustments that do not affect an ISMS based on ISO 27001:2013, so there are no corrections needed on documents from the toolkits.

For further information see:
- European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

2. Also regarding the risk assessment and treatment should not be signed from risk owner and others? Please advise or any recommendation whom shall sign?

Answer: The residual risks, final result of risk assessment and treatment proc ess, must be accepted and signed either by risk owners or by top management on their behalf. What normally happens is that top management formally accepts residual risks and only consult risk owners on situations where residual risk is not clear enough and requires clarification (e.g., when a residual risk has high value and the treatment option chose was accept the risk).

For further information see:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

3. And also in case of the organization has ERM section or department how it will be handled shall information security department ignore ERM and follow this methodology? Keep in mind the organization are adopting ISO 31000 and framework are defined is it better to refer to them?

Answer: First it is important to note that ISO 27001 does not prescribe a risk assessment and treatment methodology, so an organization can adopt the methodology that best suits its needs. Additionally, the standard provides a note informing that its requirements aligns with the principles and generic guidelines provided in ISO 31000, so you can adopt the methodology used by the ERM section, only considering minor adjustments for it to consider relevant aspects for information security.

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 31000 and ISO 27001 – How are they related? https://advisera.com/27001academy/blog/2014/03/31/iso-31000-and-iso-27001-how-are-they-related/

These materials will also help you regarding risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/