Assign topic to the user
Answer:
First it is important to note that ISO 27001 does not define what residual risk means, nor how it is determined.
However, consulting ISO 27000, which presents the vocabulary for information security management systems, and is referred on section 3 of the standard, residual risks are the risks remaining after risk treatment.
Considering that, the auditor statement is not correct, because at the point where residual risk acceptance is required (after approval of the risk treatment plan) some controls may not have been implemented yet, so calculation or residual risk is the only way for decision makers to have a estimative if selected controls are sufficient enough.
Maybe what the auditor has tried to say is that you cannot take as real a calculated residual risk until you measure the effects of implemented controls. You can consider it at most as an expected residual risk until the first measurement and evaluation of controls ef fectiveness, which will validate or not you calculation.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Comment as guest or Sign in
Jun 26, 2019