Risk assessment questions

Answer: The risk assessment report presents a brief explanation about the risk assessment methodology, the identified risks and those risks evaluated as unacceptable by the organization. The risk treatment report presents a brief explanation about the risk treatment methodology, and the treatments chosen to all risks the organization considered unacceptable, as well as to those the organization decided to treat based on other reasons (e.g., because of legal requirements or because it considers the treatment as a best practice).

Generally, the risk assessment and risk treatment reports are presented as a single document.

The statement of applicability presents a summary of which controls are necessary, the justification for their inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

These articles will provide you further explanation about Risk Assessment, Risk Treatme nt and SOA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - Does ISO 27001 specify the form of scope?

Answer: ISO 27001 does not specify the form of the scope, only the minimal information that must be considered in its definition:
- external and internal related issues related to the understanding of the organization and its context;
- the requirements of relevant interested parties; and
- interfaces and dependencies between the organization and other organizations.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/