Expert Advice Community

Home / ISO 27001 & 22301 / Risk levels and decision-makers

Guest

Risk levels and decision-makers

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Oct 11, 2023 Last commented:   Oct 11, 2023

Risk levels and decision-makers

ISO 27001 & 22301

About risk levels and decision-makers, could you share some insights? I got confused on who will be the decision maker on putting the level of the risk and based on which criteria the level was set?

Tags: Product: ISO 27001 Internal Auditor Course
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Oct 11, 2023

ISO 27001 does not prescribe who needs to determine the level of risk, but as a good practice, this definition is made by the risk owner, who needs to accept the residual risk defined after the selection of risk treatment (see ISO 27001 clause 6.1.3 f).

His decision is based on the risk levels defined in the Risk Assessment and Risk Treatment Methodology Document (the risk assessment and treatment processes need to be documented as required by clauses 6.1.2 and 6.1.3).

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 11, 2023

Oct 11, 2023

Suggested Topics
Atheer AlMartan Created:   Feb 11, 2024 ISO 27001 & 22301
Replies: 1
0 0

Statement of Acceptance of Residual Risks
Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations
Guest user Created:   Oct 31, 2023 ISO 27001 & 22301
Replies: 1
0 0

Question on risk register and selection of the assets