Thanks for a very informative webinar on risk assessment. I have 3 questions please:
In your experience what would you say about multiple risk assessments for in-scope Business units as opposed to one asset-based risk assessment for the company? I ask because I work for a large company with over 3000 employees and it’s hard to do one risk assessment for the entire company as different assets are owned and managed by different teams/Business units, and these even overlap sometimes, e.g. an asset may have multiple owners.
How would you determine the residual risk scores after you have implemented the controls to manage risks identified? Do you create another 2 columns for impact and likelihood after the initial impact and likelihood assessment that resulted in the inherent risk scores?
In terms of scoping the risk assessment you mentioned using our ISMS scope statement but our scope isn't based on assets but on processes?
I look forward to hearing back from you.