Risk Assessment and Risk Treatment template

Answer: The main difference between these three documents are:
- Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
- Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
- Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001, but also specific requirements applicable for protection of personal data defined EU GDPR.

You can see the specific requirements covered in each document in its own section 2 - Reference Documents.

2 - Also, based on security practices risk is calculated by multiplying likelihood with im pact. However in this methodology you are adding them.

Answer: ISO 27001 does not prescribe how risk is calculated, and the most used practices are multiplying or adding likelihood with impact, and we chose for our template the last mentioned approach. However you can adjust the template approach for multiplying likelihood with impact if you wish so. This is perfectly acceptable by ISO 27001 requirements ( both methods are suggested in ISO 27005).

For further information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

3 - Please let me know if Advisera has any documentation on how to perform risk assessments on third parties and cloud providers .

Answer: You can use the same risk assessment approach adopted by your organization to perform risk assessments on third parties and cloud providers. Please note that to assess risks on cloud providers you should consider the Risk Assessment and Risk Treatment Methodology Cloud.