Risk assessment table
From the tutorial:
1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
How does control No 4 affect the risk level of risk no 4?
Shouldn´t the sequence be:
- assess risk
- take into account existing controls
- update risk taking into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
-define a risk treatment plan
2. what about existing controls for No 1-3? None implemented yet?
3. What about controls for risks that can be accepted?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
How does control No 4 affect the risk level of risk no 4?Shouldn´t the sequence be:
- assess risk
- take into account existing controls
- update risk taking into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
-define a risk treatment plan
Risk rating must consider already implemented controls because this situation reflects the reality of your organization.
The mentioned control (locked in the file cabinet) decreases the effect of the vulnerability (unauthorized access to facilities allowed) in the likelihood because even if a person has unauthorized access to facilities since the confidential agreement is in a locked cabinet if the person has not appropriated tools he will not be able to access the agreement.
Considering your proposed sequence, taking into account the existing controls are performed at the same time when you assess risk, by the fact that the control will affect the components of the risk (i.e., impact and/or likelihood). So the sequence would be:
- assess risk, take into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
- define a risk treatment plan
2. what about existing controls for No 1-3? None implemented yet?
In the tutorial, there are no controls implemented for risks 1-3. These examples were used to demonstrate the most common situation, where there are no controls implemented and a single asset can have multiples risk associated to it.
3. What about controls for risks that can be accepted?
For risks with no current implemented controls that are acceptable, you do not need to associate controls, so there is not to fill in in the last column.
In case you have a risk that is acceptable because you have an implemented control associated with it, you should evaluate if this control needs some kind of adjustment (e.g., a technological update, or change in the process). If no adjustments are needed then your job is finished.
In case you understand the control needs adjustment, then you must include this risk in the next step of the process, the risk treatment.
Comment as guest or Sign in
Mar 27, 2020