ISO 27001 Risk Assessment Documentation

In order to be compliant with ISO 27001 standard, the following risk documentation is required. A documented risk assessment and treatment methodology, a standard of applicability, a risk treatment plan, and a risk assessment report. Per clause 6.1.2, the risk assessment and risk treatment methodology must be created. This document defines how the risks will be identified, assessed, and treated. Per clause 6.1.3, a statement of applicability is required. Annex A of the ISO 27001 standard defines 114 controls that should be considered when defining risk treatment options. If a control outlined in annex A is not implemented, it must be documented in the statement of applicability with a justification for exclusion. Per clause 8.3, a risk treatment plan must be documented, which defines the methods agreed upon for treating the risk, who will treat the risk identified from the risk assessment, and how the efficacy of the treatment will be measured. Per clause 8.3, a risk assessment report must be supplied to management with an overview of the results of the risk assessment, the risk treatment plan, and the estimated impact and probability of each risk. 

Related Videos