Guest user Created: Dec 21, 2016 Last commented: Dec 21, 2016

Risk assessment and treatment

1 - In the risk assessment/analysis part, the risks value has been evaluated. Now, in the risk treatment table (options), it is required to indicate again the impact and likelihood level. Why? Is this a copy/paste task to list only unacceptable risks (excluding all risks under a defined value)

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Dec 21, 2016

Answer: You understanding is correct. The process uses this copy paste activity so that in the risk treatment table you can concentrate on the most needed information, the risks considered unacceptable in the Risk assessment table, and the adopted treatment options.

2 - Additionally, the risk treatment table requires to set values after treatment, but how can I already do that before having a detailed plan with exact measures?

Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.

These materials will also help you regarding risk assessment process:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Dec 21, 2016

Expert Advice Community