SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Risk acceptance criteria and acceptance level

  Quote
Guest
Guest user Created:   Jan 08, 2017 Last commented:   Jan 09, 2017

Risk acceptance criteria and acceptance level

Is acceptable level of risk the same as risk acceptance criteria in ISO 27001:2013?
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 08, 2017

Answer: No. The risk acceptance criteria are the factors you consider when evaluating if you accept a risk or not (e.g., probability, impact, risk value, cost of the control, etc,). The acceptable level of risk is the value attributed to a risk acceptance criteria, that defines for that criteria if a risk should be accepted or not. For example, you can consider risk value as a risk acceptance criteria and for that criteria the acceptable level of risk is any risk value lower than 5, which means that any risk with value lower than 5 can be accepted.

This article will provide you further explanation about risk criteria and acceptance level:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding risk criteria and acceptance level:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advi sera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
lina6 Jan 09, 2017
Thank you so much for this. Can you explain how to correctly determine the level of risk cl. 6.1.2 d (3), does this imply risk calculation, if so, how to correctly carry it out? Many thanks.
Quote
0 0
Expert
Rhand Leal Jan 09, 2017
Yes, this imply risk calculation. Considering the ISO 27001, the most common ways to determine risk level are by simply summing or multiplying the values attributed for likelihood and impact you consider in your risk analysis (e.g., if likelihood = 2 and impact = 1, your risk level would be 3, by using sum, or 2, by using multiplication). For simple risk analysis there is no difference if you use sum or multiplication (this choice is more relevant when you work with statistical data).

This article will provide you further explanation about risk level calculation:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/knowledgebase/how-to-assess-consequences-and-likelihood-in-iso-27001-risk-analysis/
Quote
0 1
Guest
lina6 Jan 09, 2017
Thank you very much. How can I define the criteria for performing risk assessments cl. 6.1.2 please.?
Quote
0 0
Expert
Rhand Leal Jan 10, 2017
Regarding ISO 27001, you should consider performing a risk assessment:

1 - every time a significant change occurs in the external or internal conditions that may impact in your ISMS scope or objectives. Examples of external conditions are changes in laws and regulations. Examples of internal conditions are the introduction of new information systems, modifications on information systems already running, or changes in business processes or objectives.

2 - after a predefined time since the last risk assessment, even if no external or internal conditions had changed (normally this periodicity is one year, but you should consider your activities and industry to define a proper periodicity).
Quote
0 1
Guest
lina6 Jan 10, 2017
Thank you very much for your help, really appreciate it.
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jan 08, 2017

Jan 10, 2017