Risk levels and decision-makers
About risk levels and decision-makers, could you share some insights? I got confused on who will be the decision maker on putting the level of the risk and based on which criteria the level was set?
Assign topic to the user
ISO 27001 does not prescribe who needs to determine the level of risk, but as a good practice, this definition is made by the risk owner, who needs to accept the residual risk defined after the selection of risk treatment (see ISO 27001 clause 6.1.3 f).
His decision is based on the risk levels defined in the Risk Assessment and Risk Treatment Methodology Document (the risk assessment and treatment processes need to be documented as required by clauses 6.1.2 and 6.1.3).
For further information, see:
Comment as guest or Sign in
Oct 11, 2023