SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Risk assessment: minimum content?

  Quote
Guest
Guest user Created:   Jan 25, 2022 Last commented:   Jan 26, 2022

Risk assessment: minimum content?

In our Risk Assessment table, is there any "minimum" content we should have to be "credible" from an auditor point of view? Seeing our scope and assets I've listed, I think I'll end up around 150 lines in the table. Is this Risk Assessment Table a good document you would be able to review for me and provide feedback on? Or is this too specific to certain business (like ours that is focused on our SaaS platform)?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 26, 2022

1 - In our Risk Assessment table, is there any "minimum" content we should have to be "credible" from an auditor point of view ? Seeing our scope and assets I've listed I think I'll end up around 150 lines in the table.

ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.

As for the number of risks you mentioned, 150 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:

2 - Is this Risk Assessment Table a good document you would be able to review for me and provide feedback on ? Or is this too specific to certain business (like ours that is focused on our SaaS platform) ?

As part of your toolkit, you can submit a certain quantity of documents for our review, so we can provide feedback about your work, and the Risk Assessment Table can be one of them.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 25, 2022

Jan 26, 2022