What to do about assets and risks that change after risk assessment
Assign topic to the user
You should not change the initial inventory of assets, risk assessment table and the risk treatment table, because they are records about the situation at the time they were elaborated. The right thing to do is to create an updated version of them as you mentioned in option 2.
Regarding dealing with the new assets in next year, to make this decision you must evaluate the impacts of such changes in your risk scenario. Since you mentioned that assets have changed in several departments, probably your risk scenario has also changed too and you should perform a new risk assessment as soon as possible.
This article will provide you further explanation about risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Cours e https://advisera.com/training/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 10, 2017