LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

What to do about assets and risks that change after risk assessment

  Quote
Guest
doublena Created:   Feb 08, 2017 Last commented:   Feb 09, 2017

What to do about assets and risks that change after risk assessment

Hi Guys, please can you help advise me here. We have completed the risk assessment and the asset owners are populating the risk treatment table with treatment options. However there was a good number of months between completing the risk assessment and where we are today. As a result the assets have changed in several departments meaning some items in the current risk assessment are not relevant. It also means any new or replaced assets need to be re-assessed. So the question is:- 1) Do we just delete those irrelevant risks from the inventory of assets, risk assessment table and the risk treatment process, and just deal with the new assets in next year's overall risk assessment? 2) Or do we update those documents according to document control procedures and (i.e. update the asset inventory; risk assessment table to reflect new and removed assets; apply the treatment to the new assets)?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 09, 2017
You should not change the initial inventory of assets, risk assessment table and the risk treatment table, because they are records about the situation at the time they were elaborated. The right thing to do is to create an updated version of them as you mentioned in option 2.

Regarding dealing with the new assets in next year, to make this decision you must evaluate the impacts of such changes in your risk scenario. Since you mentioned that assets have changed in several departments, probably your risk scenario has also changed too and you should perform a new risk assessment as soon as possible.

This article will provide you further explanation about risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Cours e https://training.advisera.com/course/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Quote
0 1
Guest
doublena Feb 10, 2017
Thank you so much. I thought that was the right thing to do.
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Feb 08, 2017

Feb 10, 2017

Suggested Topics

Guest user Created:   Jun 09, 2017 ISO 27001 & 22301
Replies: 1
0 0

Operational change

Guest user Created:   Jan 22, 2022 ISO 27001 & 22301
Replies: 1
0 0

One question about ISO 27001