Risk assessment questionnaire
Assign topic to the user
Answer: No. Although many questions are common, each questionnaire should also contain questions regarding the specific business process under assessment, and elaborating a single questionnaire to try to cover all possible questions is unpractical. When you do an interview you adjust your questions "on the fly", depending on the interviewee answers and your own perception. Questionnaires are useful when you need to gather specific information. When you do not have a focus to work on it is better to use interviews.
Our ISO 27001 toolkits work with the asset-threath-vulnerability approach, using a risk assess ment sheet which needs to be filled out, together with a video tutorial which explains how this is done, so in this case the use of a questionnaire is not really applicable with risk assessment. You can take a look at the free demo of the our Risk Assessment Table at this link https://advisera.com/27001academy/documentation/risk-assessment-table/
This article will provide you further explanation about risk assessment methods based on interviews, checklists and other tools:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Apr 12, 2017