Guest
What to do about assets and risks that change after risk assessment
Hi Guys, please can you help advise me here. We have completed the risk assessment and the asset owners are populating the risk treatment table with treatment options. However there was a good number of months between completing the risk assessment and where we are today. As a result the assets have changed in several departments meaning some items in the current risk assessment are not relevant. It also means any new or replaced assets need to be re-assessed.
So the question is:-
1) Do we just delete those irrelevant risks from the inventory of assets, risk assessment table and the risk treatment process, and just deal with the new assets in next year's overall risk assessment?
2) Or do we update those documents according to document control procedures and (i.e. update the asset inventory; risk assessment table to reflect new and removed assets; apply the treatment to the new assets)?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Rhand Leal
Feb 09, 2017
You should not change the initial inventory of assets, risk assessment table and the risk treatment table, because they are records about the situation at the time they were elaborated. The right thing to do is to create an updated version of them as you mentioned in option 2.
Regarding dealing with the new assets in next year, to make this decision you must evaluate the impacts of such changes in your risk scenario. Since you mentioned that assets have changed in several departments, probably your risk scenario has also changed too and you should perform a new risk assessment as soon as possible.
This article will provide you further explanation about risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Cours e https://training.advisera.com/course/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Regarding dealing with the new assets in next year, to make this decision you must evaluate the impacts of such changes in your risk scenario. Since you mentioned that assets have changed in several departments, probably your risk scenario has also changed too and you should perform a new risk assessment as soon as possible.
This article will provide you further explanation about risk assessment process:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Cours e https://training.advisera.com/course/iso-27001-foundations-course/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 08, 2017
Feb 10, 2017
Feb 10, 2017