Risk assessment in Conformio
1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.
2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels.
we only see a list but it's not based on the risks identified.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.
ISO 27001 does not require the impact on confidentiality, integrity, and availability to be explicitly evidenced during the assessment (e.g., as separate values).
According to the Risk Assessment Methodology, confidentiality, integrity, and availability are represented through impact when assessing risks.
2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels. we only see a list but it's not based on the risks identified
First is important to note that ISO 27001 does not prescribe how to prioritize actions in the Risk Treatment Plan, so organizations can adopt the prioritization criteria that best fit their needs.
In the Risk Treatment Plan in Conformio you prioritize the activities by defining the deadlines for their implementation.
This article will provide you with further explanation about risk treatment:
Comment as guest or Sign in
Jun 24, 2023