Risk Registers
Assign topic to the user
Answer: ISO management standards do not prescribe how to implement risk register, so both approaches are acceptable. A single risk register can show you a systemic view of all risks the organization is exposed to, but it is also more complex to analyze. A risk register for each aspect helps you focus on relevant risks for each aspect, but it will require more administrative effort to maintain. You have to evaluate these situations to identify which approach is better for your organization.
2. I also see that the risk assessment that came with the pack is asset based risk assessment.... is that mandatory?
Answer: ISO 27001 does not prescribe a methodology, only that one must be defined and documented, so you can adopt the methodology that best suits your needs. The asset-based risk assessment is includ ed in the toolkit because it is the most common approach used for information security risk assessment, and this is also the one that provides the best balance between precision and needed effort.
This article will provide you further explanation about risk assessment:
- ISO 31010: What to use instead of the asset-based approach for ISO 27001 risk identification https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identification/
Comment as guest or Sign in
Jun 12, 2019