Expert Advice Community

Home / ISO 27001 & 22301 / Risk value calculation

Guest

Risk value calculation

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Nov 28, 2017 Last commented:   Nov 28, 2017

Risk value calculation

ISO 27001 & 22301
When completing the risk assessment table, should the risk value (specifically the Likelihood component) be decided on before or after considering any existing controls?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Nov 28, 2017

And if the risk value is calculated before considering existing controls, which risks should be moved to the risk treatment table? Is it only risks that are above the threshold value and do not have an existing control? Or any risk above the threshold value?

Answer: When defining the likelihood and impact values to calculate the risk you must consider any controls that are already implemented (and mention them in the column Existing controls at the end of the Risk Assessment Table).

Regarding which risks you should move to the Risk Treatment Table, you should move risks that are above the threshold value and any other risk you decide to treat (e.g., because you want to implement an improvement or you have to treat them because of a legal requirement).

By the way, included in the toolkit you bought you have access to a video tutorial that can help you fill the risk assessment and risk treatment tables.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 28, 2017

Nov 28, 2017

Suggested Topics
Guest user Created:   Dec 22, 2016 ISO 27001 & 22301
Replies: 1
0 0

Risk value calculation
Guest user Created:   Feb 08, 2016 ISO 27001 & 22301
Replies: 1
0 0

Is assessing asset value mandatory?
Guest user Created:   Sep 07, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk Management and "Asset value" & Asset Criticality