Risk assessment: minimum content?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - In our Risk Assessment table, is there any "minimum" content we should have to be "credible" from an auditor point of view ? Seeing our scope and assets I've listed I think I'll end up around 150 lines in the table.
ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.
Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence in the process or asset would easily identify. To mitigate this risk, you need to include in the risk assessment the personnel involved with the process or asset.
As for the number of risks you mentioned, 150 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.
An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.
These articles will provide you a further explanation about risk assessment and treatment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/knowledgebase/how-to-assess-consequences-and-likelihood-in-iso-27001-risk-analysis/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/
2 - Is this Risk Assessment Table a good document you would be able to review for me and provide feedback on ? Or is this too specific to certain business (like ours that is focused on our SaaS platform) ?
As part of your toolkit, you can submit a certain quantity of documents for our review, so we can provide feedback about your work, and the Risk Assessment Table can be one of them.
Comment as guest or Sign in
Jan 26, 2022