Assign topic to the user
Answer:
ISO 27001 requires risks to be periodically reviewed, or when situations that may impact the business occur, but it is not mandatory to identify new risks or create new risk treatment plan.
However, it is highly unlikely that risks haven’t changed for so long (this situation will very probably call the attention of the certification auditor).
Some issues you have to consider on risk assessment that may trigger new risks are: new products, new technology, change of the location, change of customer profile, change of employees profile, new compan y strategy, etc.
Additionally, the list of threats and vulnerabilities in the link below can help you identify new risks:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
Comment as guest or Sign in
Aug 05, 2019