Risk assessment

1. Do we need to identify the risk?

Information security risk identification is a mandatory requirement for ISO 27001 (clause 6.1.2 c)), so you need to identify information security-related risks.

2. What are the differences between existing controls and planned controls and after which step we can identify them?

Existing controls are controls that are already implemented before the start of risk assessment and risk treatment process, while planned controls are controls to be implemented, either because they are not implemented yet or implemented controls are not sufficient and need adjustment.

Planned controls are identified after the risk treatment process, during the development of the risk treatment plan.

For further information, please see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

3. How we can fill these fields?

I'm assuming you are referring to the Risk Assessment Table and Risk Treatment Table templates you can find in these links:

• https://advisera.com/27001academy/documentation/risk-assessment-table/
• https://advisera.com/27001academy/documentation/risk-treatment-table/

If you decide to purchase these templates (or a toolkit which contains these templates), you will get the access to video tutorials that explain how to fill out these tables, using real examples.

https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ does not address question 2

With regards to ISO 27001, what is the correct sequence in evaluating risk vs current controls? 

https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/ does not address question 2

First of all, thanks for the feedback.

The issue about exiting controls is, in fact, missing in the step 2 risk assessment implementation. The proper text is:

"Once you know the rules, you can start finding out which potential problems could happen to you – you need to list all your assets, then threats and vulnerabilities related to those assets, as well as controls you already have implemented, assess the impact and likelihood for each combination of assets/threats/vulnerabilities, considering controls you already have in place, and finally, calculate the level of risk."

We will provide this adjustment ASAP.

With regards to ISO 27001, what is the correct sequence in evaluating risk vs current controls?

Please note that there is no sequence here.

Since current controls have a direct influence on impact and likelihood, the components of the risk, the risk, and current controls have to be assessed at the same time.

For example for the risk of data loss, if you already have a backup solution implemented, it does not make sense to evaluate the risk of data loss without considering the backup. This would result in an unrealistic risk and unnecessary work to evaluate the risk again, now considering the control. The proper approach is to consider the risk of data loss considering the effects of the backup solution.