Risk acceptance criteria and acceptance level

Answer: No. The risk acceptance criteria are the factors you consider when evaluating if you accept a risk or not (e.g., probability, impact, risk value, cost of the control, etc,). The acceptable level of risk is the value attributed to a risk acceptance criteria, that defines for that criteria if a risk should be accepted or not. For example, you can consider risk value as a risk acceptance criteria and for that criteria the acceptable level of risk is any risk value lower than 5, which means that any risk with value lower than 5 can be accepted.

This article will provide you further explanation about risk criteria and acceptance level:
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

These materials will also help you regarding risk criteria and acceptance level:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advi sera.com/books/secure-simple-a-small-business-guide-toimplementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thank you so much for this. Can you explain how to correctly determine the level of risk cl. 6.1.2 d (3), does this imply risk calculation, if so, how to correctly carry it out? Many thanks.

Yes, this imply risk calculation. Considering the ISO 27001, the most common ways to determine risk level are by simply summing or multiplying the values attributed for likelihood and impact you consider in your risk analysis (e.g., if likelihood = 2 and impact = 1, your risk level would be 3, by using sum, or 2, by using multiplication). For simple risk analysis there is no difference if you use sum or multiplication (this choice is more relevant when you work with statistical data).

This article will provide you further explanation about risk level calculation:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Thank you very much. How can I define the criteria for performing risk assessments cl. 6.1.2 please.?

Regarding ISO 27001, you should consider performing a risk assessment:

1 - every time a significant change occurs in the external or internal conditions that may impact in your ISMS scope or objectives. Examples of external conditions are changes in laws and regulations. Examples of internal conditions are the introduction of new information systems, modifications on information systems already running, or changes in business processes or objectives.

2 - after a predefined time since the last risk assessment, even if no external or internal conditions had changed (normally this periodicity is one year, but you should consider your activities and industry to define a proper periodicity).

Thank you very much for your help, really appreciate it.