Risk management process
Assign topic to the user
1 - During the risk assessment, can we already take existing controls into consideration to assess the risk level ? and immediately assess the residual risk ?
Answer: In fact you must consider the existing controls when assessing risk, including the information about implemented controls in the last column. In this case the assessed risk will be already a residual risk, which can or can't be acceptable according your risk acceptance criteria.
2 - In the toolkit there is a risk treatment “table” and a risk assessment “plan”
What is the difference between both documents because in my assumption the “table” is already enough as a plan ?
Answer: The Appendix 2 Risk Treatment Table is the document used to select treatment options and controls.
The Risk Treatment Plan is the document where you list all the actions and resources needed to implement the treatment options identified in the Risk Treatment Table, as well as the respective deadlines an d responsible people.
As you can see, from the Risk treatment table to the risk treatment plan, the information becomes more focused on the risks that must be treated. You could have all this information in a single document, but this will make it more complex to handle.
By the way, included in the toolkit you bought you have access to video tutorials that will explain you about these documents and how to fill them in.
This article will provide you further explanation about risk treatment and risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Jun 07, 2019