Risk assessment question

1. Pls correct me if my process is wrong, I have identified one risk title and risk level (High) after done risk assessment on one application, then this risk is treated by risk acceptance by risk owner in the period of acceptance time. Thus the risk level after this treatment I keep same level (High) and status close for the period of acceptance time then will be open again after period of acceptance time is over.

Your thinking process is correct (but instead of risk title you should consider call it risk statement). After accepting the risk, since you will not apply any control, you need to keep the risk level as high, until the next assessment.

But please note that to accept a high risk you need to have a robust justification, such as the effort and resources required to reduce the risk to an acceptable level is greater than the impact if the risk materializes.

For further information see:

• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

2. Risk level of same risk title could be different or not after done risk assessment on different applications?
I do appreciate for your kind comment and support.

The same risk statement can be of different levels for different applications if they have different values for the organization.

For example, the risk of data loss due to malware can have different values if it occurs in a local inventory application and if it occurs in the payroll application.

This article will provide you a further explanation about risk assessment:

• ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/