We are SMB organization with 200 employees and 13 IT staff , the scope of implementation is only for IT department !!
We are implementing ISO 27001, the main challenge with is to identify and register the risks on an effectives and realistic manner,
We are working with the third party and they delivered 140 risks registered , we have couple of comments on the risks registered as the following
1- registered risks are not realistic and it's near to issue registered not risks
2- most of the risks registered are repeated with different way
3- 140 risks registered is very too much to manage it and maintain it
third party is used risks based on asset group !!
is it making sense, how we can resolve this issue ?
Thanks for the tips and points to enhance risks registered , however 140 risks is huge no to maintained the risks regardless the treatment, i'm expecting something around 20 risks max to be easly maintainted especiallty the main dimensions for security control under CIA , in addition ISO is not need inssist to include asset on risks handling,