Expert Advice Community

Guest

Risk Assessment Matrix

  Quote
Guest
Guest user Created:   Mar 26, 2021 Last commented:   Mar 26, 2021

Risk Assessment Matrix

Attached is the risk assessment matrix we chose to use for our organization when doing ISO 27001 implementation. We think this will make more sense for us than multiplication or addition of 'Impact' and 'Likelihood'. Will there be any issue of using it, does ISO specify a set of matrixes so we cannot use anything else?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 26, 2021

Please note that ISO 27001 does not prescribe how to determine risk level, only that it needs to be determined, so your risk assessment matrix can be used to fulfill the standard’s requirements.

Only a minor suggestion to be considered (you can keep the current matrix if you like): instead of using “improbable-possible-probable”, adopt “improbable-probable-most probable”, because this way you use the same base word (probable) for the likelihood scale, making it simpler to understand, and at the same time avoiding the use of words “probable” and “possible” in the same scale, since these words can be mistaken as synonyms in some circumstances, creating confusion.

This article will provide you a further explanation about risk analysis:

This material will also help you regarding risk assessment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 26, 2021

Mar 26, 2021

Suggested Topics

Guest user Created:   Jun 09, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment

Guest user Created:   May 25, 2020 ISO 27001 & 22301
Replies: 3
0 0

Risk Assessment