ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. What is the objective of Risk Assessment?
Answer: The objective of risk assessment is to identify and prioritize risks you are exposed to, according predefined criteria. This way you will have an overview which one your should handle first and why.
2 What are the methods of Risk Remediation?
Answer: There are 4 general risk remediation options: 1) decrease the risk; 2) share the risk; 3) avoid the risk; and 4) retain the risk. See more information in this article:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
3. Why risk assessment is conducted?
Answer: A risk assessment may be conducted to fulfil a legal requirement (e.g., law, standard or contractual clause) or an organization's decision. In either case, the purpose is to use its results to make better decisions considering the organizational resources available and the main risks to which is exposed.
4. What are the steps to conduct the risk assessment?
Answer: According to ISO 27001, the risk assessment process includes 6 steps: 1) risk assessment methodology; 2) risk assessment implementation; 3) risk treatment implementation; 4) risk assessment report; 5) Statement of Applicability; and 6) Risk treatment plan. For more information, see this article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
5. Is it a good idea to define policies/procedure/guidelines before risk assessment or vice versa of it?
Answer: You should define policies/procedure/guidelines for treating risks after the risk assessment, so you will define only what is needed to handle the risks you are exposed to. Only the documentation related to risk assessment methodology should be defined first, so everyone performing the assessment do that the same way.
This article will provide you further explanation about risk management:
- What is an Information Security Management System (ISMS) according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/23/information-security-management-system-isms-according-iso-27001/
These materials will also help you regarding management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Apr 06, 2017