Risk assessment process
Assign topic to the user
Our team has decided to move forward with a new approach for Risk Management, wherein they will not be doing the analysis of the risk identified instead, all the risks for a particular process will be identified, identify the key controls and evaluate them based on the impacts - Financial, Reputational, effectiveness of the existing Controls
Could you please advise, whether there will be any impacts to the organization as well as to our existing ISO certification, if we are deviating from the standard by not performing the Risk analysis
Also, does the standard gives us any flexibility to avoid performing the analysis of risks
Your advise please...
Answer: ISO 27001, in its clause 6.1.2, requires the definition of criteria to assess consequences and likelihood of risks, as well as of how the risk will be calculated, what is basically the definition of risk analysis. So, by not performing risk analysis you are not complying with a standard's requirement.
But the standard gives you flexibility to keep the risk analysis, as well as other steps of risk assessment, as simple as possible, so you can avoid unnecessary effort.
This article will provide you further explanation about risk assessment process:
- How to access consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Apr 29, 2017