Risk management process
Is the following order of steps for the risk management process provided in the iso27001 foundation course correct?
Shouldn't the RTP be created before the SoA?
1. Define risk assessment methodology
2. Conduct risk assessment
3. Select risk treatment options
4. Create Statement of Applicability (SoA)
5. Create risk treatment plan (RTP)
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
This order follows exactly the sequence of requirements of ISO 27001.
Please note that the Risk Treatment Plan defines the actions, resources, responsibilities, and dates for the implementation of risk treatment options (e.g., risk transfer and risk mitigation), and you first need these options to be approved, generally as part of the SoA approval, so you can minimize risks of rework or loss of time if a treatment option is not approved.
These articles will provide you further explanation about the risk management process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Mar 26, 2020