brianhopla Created: Feb 06, 2018 Last commented: Feb 08, 2018

Risk Register vs Incident Log

Are the risk register and incident log mutually exclusive or complementary documents? Are they both strictly necessary?

0 0

Assign topic to the user

Select user

Rhand Leal Feb 08, 2018

Risk register and incident log are complementary documents. The first records what may happen, and the second what really happened.

Identified risks are required by ISO 27001, as part of the risk assessment and treatment process. Incident log is only required if there are unacceptable risks that justify controls that require its implementation (e.g., A.16.1.2 Reporting information security events).

These articles will provide you further explanation about risk register and incident log:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/

These materials will also help you regarding risk register and incident log:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 06, 2018

Feb 08, 2018

Expert Advice Community