Expert Advice Community

Guest

Risk assessment and risk treatment

  Quote
Guest
Guest user Created:   Oct 08, 2019 Last commented:   Oct 08, 2019

Risk assessment and risk treatment

We already have the below-mentioned risk assessment template fields:
1. Main heading- Risk identification- Under this: Process, risk description
2. Main heading - Risk evaluation- Under this: Consequence, Likelihood, risk level, risk accepted( yes/No)
3. Main heading - Risk control- Under this: Existing risk controls, revised consequence, revised likelihood, residual risk after treating, effectiveness of existing controls, Risk mitigation option, Completion date, risk plan implemented ( yes/No/N.A)
I would need some clarification for the last field after risk mitigation..i.e., risk plan implemented ( yes/No/N.A)
Please clarify that in a high-level risk and a low-level risk should this option Yes/ No or N.A"

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 08, 2019

If I understood your template correctly, "Risk plan implemented" refers to the status of any action defined to implement controls to treat the risk:

  • Yes - the risk plan is already implemented
  • No - the risk plan is not implemented yet
  • N.A. - No Applicable action is needed to be implemented

For low-level risk general option is N.A., since low-level risks are accepted.

For high-level risk, the option Yes/No will depend on when the implementation is checked and the plan due date. The N.A. option is used when the high-level risk  is accepted (e.g., when it is identified that the cost to implement the control is higher than the impact, if the risk occurs)

These articles will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 08, 2019

Oct 08, 2019