Guest user Created: May 18, 2017 Last commented: May 18, 2017

Risk acceptance criteria

If our risk acceptance criteria is only to treat the top 5 risks, is it acceptable to only have a risk treatment plan for our top 5 risks?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 18, 2017

Please let me know if this is sufficient for the ISO 27001 audit.

Answer: Yes. If your risk evaluation, considering your acceptance criteria, has defined that only 5 risks are considered unacceptable, you can have treatment plans only for these 5 risks.

This article will provide you further explanation about Risk acceptance criteria:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

In the video tutorials that came with your toolkit, you have access to a video about Risk Assessment Methodology that can provide you more information about risk acceptance criteria.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 18, 2017

Expert Advice Community