Risk Management Criteria

If there is no recorded occurrence of an event occurring but there is also no way of knowing if the event occurred previously then do we score it low or Medium/High?

For example - If I know the people can download company data onto their home devices through a browser based application. There are no recorded occurrences but there is also no way of knowing if this has happened.

My concerns with such a case are that whilst I don’t want to commit scant resources to dealing with a risk that is perhaps not significant but also I do not want to leave a security hole for data to leak through in relation to the business’s defences.

Answer: Besides internal historical data, the likelihood can be also identified by means such as historical data available from organization's industry (e.g., industry reports), statistical models, or by expert opinion.

This article may provide you more information about identification of likelihood:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment