Risk Assessment Matrix
Attached is the risk assessment matrix we chose to use for our organization when doing ISO 27001 implementation. We think this will make more sense for us than multiplication or addition of 'Impact' and 'Likelihood'. Will there be any issue of using it, does ISO specify a set of matrixes so we cannot use anything else?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that ISO 27001 does not prescribe how to determine risk level, only that it needs to be determined, so your risk assessment matrix can be used to fulfill the standard’s requirements.
Only a minor suggestion to be considered (you can keep the current matrix if you like): instead of using “improbable-possible-probable”, adopt “improbable-probable-most probable”, because this way you use the same base word (probable) for the likelihood scale, making it simpler to understand, and at the same time avoiding the use of words “probable” and “possible” in the same scale, since these words can be mistaken as synonyms in some circumstances, creating confusion.
This article will provide you a further explanation about risk analysis:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Mar 26, 2021