Risk assessment and risk treatment
Assign topic to the user
If I understood your template correctly, "Risk plan implemented" refers to the status of any action defined to implement controls to treat the risk:
- Yes - the risk plan is already implemented
- No - the risk plan is not implemented yet
- N.A. - No Applicable action is needed to be implemented
For low-level risk general option is N.A., since low-level risks are accepted.
For high-level risk, the option Yes/No will depend on when the implementation is checked and the plan due date. The N.A. option is used when the high-level risk is accepted (e.g., when it is identified that the cost to implement the control is higher than the impact, if the risk occurs)
These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
Comment as guest or Sign in
Oct 08, 2019