SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Risks registered is not effectives

  Quote
Guest
Guest user Created:   Feb 22, 2022 Last commented:   Feb 23, 2022

Risks registered is not effectives

We are SMB organization with 200 employees and 13 IT staff , the scope of implementation is only for IT department !! We are implementing ISO 27001, the main challenge with is to identify and register the risks on an effectives and realistic manner, We are working with the third party and they delivered 140 risks registered , we have couple of comments on the risks registered as the following 1- registered risks are not realistic and it's near to issue registered not risks 2- most of the risks registered are repeated with different way 3- 140 risks registered is very too much to manage it and maintain it third party is used risks based on asset group !! is it making sense, how we can resolve this issue ?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 22, 2022

Some tips we can provide are:

  • you can exclude not realistic risks from your assessment, in case you understand they will not add value to your assessment.
  • for the registered issues, you can work on identifying potential root cases for them, and these root causes can be evaluated if they can be considered risks or not
  • you can rewrite repeated risks in a way to consolidate them in fewer controls
  • in fact, 140 risk for an organization of your size is an expected quantity. Please note that after the risk treatment option only part of them will need to receive additional treatment.

This article will provide you a further explanation about risk assessment:

These materials will also help you regarding risk assessment:

Quote
0 1
Guest
Abuzaid Saad Feb 23, 2022

Thanks for the tips and points to enhance risks registered , however 140 risks is huge no to maintained the risks regardless the treatment, i'm expecting something around 20 risks max to be easly maintainted especiallty the main dimensions for security control under CIA , in addition ISO is not need inssist to include asset on risks handling, 

 

 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 22, 2022

Feb 23, 2022

Suggested Topics

Guest user Created:   Feb 13, 2022 ISO 27001 & 22301
Replies: 1
0 0

Quantity of risks

Guest user Created:   Aug 20, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risks treatment