Risk assessment

1.  Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example, there are some laptops that can access and (download or view) some sensitive data from what is in the scope, so should we need to include these laptops in the scope or just apply some controls to mitigate risks come from them?

Answer: If risks, internal or external, have the potential to impact the elements of the ISMS scope, then you have to include them in the risk assessment, and apply controls to mitigate those identified as unacceptable.

About including the risk source information, ISO 27001 does not prescribe this information as mandatory, so this will depend on the risk assessment methodology you are using, because some of them require this information and others do not.

For further information see: ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2.  What is the difference between the existing controls and planned controls? do we need to have both in the risk register?

Answer: Existing controls are controls already implemented by the time you perform the risk assessment, while planned controls are controls you intend to implement after the approval of risk treatment.

Existing controls must be included in the risk register if they have any impact in the assessed risk value, and planned controls must be included in the risk register only for risks considered unacceptable and are to be treated (i.e., for risks identified as acceptable there is no need for planned controls).

3. Should we write already mitigated risks in the risk assessment phase, for example, a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?

Answer: This is an example of risk with existing control applied, and if this risk is relevant to your ISMS scope, then it must be included in the risk assessment, so you have a formal knowledge that exists and is already being treated.

4. How we can design a criteria for the impact if our scope is in cloud?

Answer: ISO 27001 does not prescribe the use of specific criteria for impact on elements of the scope in the cloud, so you can use the same criteria for impact used in your standard risk assessment.

What happens when part of the scope is in the cloud is the modification of the responsibilities for the assets, and on the impact and likelihood levels for those elements, not in their type.

For further information, see:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

These materials can also provide further information:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/