Residual risk

1 - In your experience what would you say about multiple risk assessments for in-scope Business units as opposed to one asset-based risk assessment for the company? I ask because I work for a large company with over 3000 employees and it’s hard to do one risk assessment for the entire company as different assets are owned and managed by different teams/Business units, and these even overlap sometimes, e.g. an asset may have multiple owners.

ISO 27001 requires that the risk assessment results are comparable, which means that you need to use the same risk assessment methodology in your whole company (no matter if the company is large or small). Of course, a larger company could perform the risk assessment in several iterations (or sub-projects), but it is important that this is done using a company-wide risk assessment methodology.

2 - How would you determine the residual risk scores after you have implemented the controls to manage risks identified? Do you create another 2 columns for impact and likelihood after the initial impact and likelihood assessment that resulted in the inherent risk scores?

Your assumption is correct. The residual risk must be recorded in different columns, so it can be possible to compare the values before and after control implementation.

For further information, see:

• Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

3 - In terms of scoping the risk assessment you mentioned using our ISMS scope statement, but our scope isn't based on assets but on processes?

Please note that while the proposed risk assessment is based on assets, these assets need to be related to the processes included in the ISMS scope statement, so the risk assessment makes sense to the ISMS.