Risk assessment and treatment
We had purchased Advisera’s ISO 27001/22301 documentation toolkit. With regard to the risk assessment and treatment score, our consultant wants to adopt a different matrix for preparing the risk register since he has not come across the scoring methodology you have suggested in the attached document.
Could you please confirm that the scoring method you have given us (for the likelihood, severity and risk scores) is an accepted method by certification bodies since we do not want to face problems with our certification body?
Assign topic to the user
The Risk Assessment and Risk Treatment template is fully compliant with ISO 27001 requirements and is accepted by all certification bodies that have performed the audits on companies that use our toolkits.
However, please note that ISO 27001 does not prescribe how risk must be scored (only that consequence and likelihood must be assessed to determine risk), so if the approach used by your consultant fulfills the standards requirements it will also be acceptable by certification bodies. Please be aware that we offer the simplest method available, while consultants typically prefer more complex risk assessment methods.
This article will provide you a further explanation:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Feb 19, 2020