Guest user Created: Aug 05, 2019 Last commented: Aug 05, 2019

Risk review

We have been ISO 27001 certified for 4 years now. We had generally the same risks each year and the existing controls are sufficient in mitigating them. At this point, we're really struggling to identify new risks to mitigate and apply a risk treatment to each year. In your experience, is it possible to get by with just "existing controls are sufficient in mitigating this risk" for all risks that need mitigating? Or is it an absolute must to show a current risk treatment plan each year?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Aug 05, 2019

Answer:

ISO 27001 requires risks to be periodically reviewed, or when situations that may impact the business occur, but it is not mandatory to identify new risks or create new risk treatment plan.

However, it is highly unlikely that risks haven’t changed for so long (this situation will very probably call the attention of the certification auditor).

Some issues you have to consider on risk assessment that may trigger new risks are: new products, new technology, change of the location, change of customer profile, change of employees profile, new compan y strategy, etc.

Additionally, the list of threats and vulnerabilities in the link below can help you identify new risks:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Aug 05, 2019

Expert Advice Community

Risk review

Risk review

Assign topic to the user

Comment as guest or Sign in

Suggested Topics

How often the risk review needs to be done?

ISO 27001 Clause 9.2

Are residual risks mandatory?