Risk assessment process

Answer: You have to evaluate likelihood at the planning level, because at this point it will help you decide which risk treatment option is more appropriated and it will be less costly to make changes if you identify need for changes. After the implementation level the likelihood evaluation is used to confirm the expected likelihood you identified during the planning phase and to make proper adjustments.

2. At what level do evaluate the residual risk?

Answer: The first evaluation is made during the planning phase, after the definition of the risk treatment option. This is a kind of an expected residual risk.

After the implementation phase, during the controls performance review, you use real data to evaluate the residual risk to confirm your assumption during the planning phase and to make proper adjustments

For both answers, this article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/