Risk assessment review
Please, could you answer my questions? I have sent them to the chat but you didn't answer them during the webinar.
When we implemented ISO 27001 2 years ago (small company, 10 people), our first risk assessment table has had many unacceptable risks so we created various treatments (controls, safeguards, documents polices...) to regulate these risks. Taking treatment controls into account, the new assessment showed just 1 risk that remains as residual risks, other risks have lower (acceptable) value.
Now, we have modified our methodology and revised our risks in new table (new version of document). I have 2 questions:
1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.
2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.
When you perform a risk assessment review, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.
2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?
It is acceptable to have no update in the current Risk Treatment Plan in case all risks are acceptable, but please note that the Risk Treatment Plan can also be used to improve controls efficiency (i.e., you can achieve the same results using fewer resources), or in case you need to change technology, but this change will not have an effect on the risk value.
This article will provide you a further explanation about continual improvement:
- Achieving continual improvement through the use of maturity models https://advisera.com/27001academy/blog/2015/04/13/achieving-continual-improvement-through-the-use-of-maturity-models/
Comment as guest or Sign in
Jun 18, 2020