Risk Assessment, Risk Treatment, and Data Protection Impact Assessment templates

Our priority at the moment is complying with GDPR (for obvious reasons) and ensure data protection, in particular in our cloud based solution. We will of course ensure data protection in other business areas also, but our main focus at the moment is within our solution. In relation to this, I have been looking into the ISO 27018 standard for controls, and I see that controls in this standard are much similar to the requirements from our customers and also GDPR.

As a risk manager I am trying to figure out an effective way to perform risk assessments in accordance with information security (ISO 27001) and personal data protection (ISO 27018). Do you have any advice on how I should structure this? In what end should I start? I have started several times, but I feel as though the structure in my Excel sheet is not good, when I try to combine this.  Should I have an own file for personal data protection (privacy risks) and information security risks o r could these be combined in a way?

Could you provide a simple example on how you would structure the different risk assessments? Particularly risk assessing a cloud solution for personal data protection. Is this something I can find advise on in the ISO 27018 standard? Or in ISO 27017? We have not purchased any of these standards yet, but we are considering it.

Hope you can assist me on my doubts around this.

Answer: You should go for separated files for information security risks and privacy risks. In fact, in the EU GDPR & ISO 27001 Integrated Documentation Toolkit you bought you have the following templates that can help you:
- Risk Assessment and Risk Treatment Methodology, located at folder 7 - Risk Assessment and Risk Treatment
- Data Protection Impact Assessment Methodology, located at folder 8 - Data Protection Impact Assessment

Also included in the toolkit you have access to a video tutorial that will guide you how to fill the risk assessment and risk treatment methodology.

Regarding ISO 27017 and ISO 27018, they do not provide guidance on the risk assessment process, only on the implementation of security controls related to cloud environments and privacy, respectively.

These articles will provide you further explanation about Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/

These materials will also help you regarding Risk Assessment and Risk Treatment and Data Protection Impact Assessment:
- EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/