Risk assessment: multiple vulnerabilities for the same threat

Please note that in the Risk Assessment Table and in the Risk Treatment Table, each line corresponds to a single risk (i.e., a single set of asset-treat-vulnerability). If you merge all information in a single line, it will be more difficult for someone to understand which control is being applied to each risk. Additionally, the merged information will make it more complicated for you to apply the Excel filter to analyze, for example, which control is being more applied, which threat/vulnerability is more frequent, etc.

In short, merging information may reduce the number of lines in your tables, but it will make your overall analysis more difficult.

For further information, check out our Risk assessment and our Risk treatment.

What about the risks where I have multiple controls for mitigation? do you choose one control and ignore the others? 

In this case, you include one row for each control used to treat the same risk. For example, if you want to use 3 controls to treat the same risk, then you will have three rows with the same risk and one for each control.

This way, you will have a better notion of how each control impacts the risk (some controls may impact only likelihood or only impact), and you can evaluate if all controls are really necessary (i.e. if you are not including excessive controls).