Risk assessment and treatment process

1- Are any of these documents filled and maintained in parallel? Or do they have to be filled strictly in sequence i.e. RISK TREATMENT TABLE then SoA then ACCEPTANCE OF RESIDUAL RISK then RISK TREATMENT PLAN etc.

Answer: Considering the risk of rework, you could fill in parallel the risk treatment table and the risk treatment plan. The advantage of filling them in parallel is that when presenting information for acceptance of residual risk, you can have more detailed information about risk treatments and this can facilitate the decision on accepting the residual risks and speed up your process. The disadvantage is that if the residual risk value is not accept ed you will lose all the effort and time you allocated. To minimize this risk I would suggest you to ask risk owners what information they would need to make their decision regarding residual risk, and when elaborating the risk treatment plan you start only with a general overview of the solution, focusing on what is to be delivered instead of what is to be done.

This material can provide you information on how to prepare an general overview of a risk treatment plan:

- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/

2 - How can we comment upon “after treatment figures of likelihood and severity of risk” in RISK TREATMENT TABLE without ascertaining the method of control implementation as per SoA and without creating a RISK TREATMENT PLAN in parallel to assign cost and resources?

Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will just help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.

3- Can a single example case be shared on which these complete set of documents were filled from start till end?

Answer: Sure, if you watch the video tutorials that came with your toolkits, you will see for each of the documents (e.g. for Risk treatment table, for Risk treatment plan) how to fill out all the data.