Expert Advice Community

Guest

Risk Assessment and Risk Treatment template

  Quote
Guest
Guest user Created:   Aug 24, 2019 Last commented:   Aug 24, 2019

Risk Assessment and Risk Treatment template

1 - Please let me know what is the difference in 3 different risk assessments and treatment methodologies documents. By reading them they look the same.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 24, 2019

Answer: The main difference between these three documents are:
- Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018.
- Risk Assessment and Risk Treatment Methodology Premium covers not only requirements for ISO 27001, but also specific requirements applicable for business continuity defined by ISO 22301.
- Risk Assessment and Risk Treatment Methodology Integrated covers not only requirements for ISO 27001, but also specific requirements applicable for protection of personal data defined EU GDPR.

You can see the specific requirements covered in each document in its own section 2 - Reference Documents.

2 - Also, based on security practices risk is calculated by multiplying likelihood with im pact. However in this methodology you are adding them.

Answer: ISO 27001 does not prescribe how risk is calculated, and the most used practices are multiplying or adding likelihood with impact, and we chose for our template the last mentioned approach. However you can adjust the template approach for multiplying likelihood with impact if you wish so. This is perfectly acceptable by ISO 27001 requirements ( both methods are suggested in ISO 27005).

For further information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/knowledgebase/how-to-assess-consequences-and-likelihood-in-iso-27001-risk-analysis/

3 - Please let me know if Advisera has any documentation on how to perform risk assessments on third parties and cloud providers .

Answer: You can use the same risk assessment approach adopted by your organization to perform risk assessments on third parties and cloud providers. Please note that to assess risks on cloud providers you should consider the Risk Assessment and Risk Treatment Methodology Cloud.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 24, 2019

Aug 24, 2019

Suggested Topics

Guest user Created:   Feb 18, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment and treatment

Guest user Created:   Mar 21, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment and SOA