Risk Register section
Assign topic to the user
In risk assessment, you need to identify risks that exist in your context, and you consider relevant. The fact that some of them may already have controls in place is considered when you analyze them to define likelihood and impact (in most cases this will mean that they will have low risk and won’t be part of the risk treatment step).
Considering that, both of your examples would be included in the risk assessment, so you can document either the risks or the controls already implemented to treat them.
For further information, see:
- 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Comment as guest or Sign in
Mar 31, 2022