Risk Control Table
I will look forward to hearing from the expert.
In the example above in the screenshot I have given the consequence score of because of the existing controls. But should I be putting in the score prior to consideration of controls, which would be a' and then putting the lower Risk score into the Risk Treatment Table after consideration of the controls, even though they are already in place?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
When you assess the impact and the likelihood of a risk, you have to take into account the existing controls, filling in the information about them in the column "Existing controls", so your example is the proper way to assess risks when controls are already implemented.
This article will provide you a further explanation about likelihood and impact:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
This material will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
May 07, 2021