Risk Assessment
Our organization is ISO27001 certified. Now we need to go for risk assessment. I am confused as our external consultant company is saying that they are using Risk Assessment Matrix as per ISO 27005 & ISO 27001.
whereas our newly hired auditor is saying that the external consulting company is wrong and we should use Nihari or Octavia..
My question is that as an ISO 27001 certified organization what should we use?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe which methodology an organization must use for risk assessment and risk treatment, only that an approach must be defined, so organizations can adopt the approach that better fits them.
Since you are already ISO 27001 certified, the initial recommendation is for you to keep the approach adopted in the preparation for the certification (it was validated by the certification auditor), and then ask both your external consultant and the auditor about the pros and cons of each recommended approach considering your organizational context, so you can evaluate if you, in fact, need to change your current approach.
For further information, see:
- The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
Comment as guest or Sign in
Jun 09, 2020