Chat with Experta

User
What are the steps to perform risk assessment and treatment?
Experta
To comply with clause 6.1 Actions to address risks and opportunities, the optimal way is to complete risk assessment and treatment by following these steps:
1. Write the Risk assessment and treatment methodology. (You define how to perform the whole process).
2. Perform the risk assessment. (You find out which risks exist, how serious they are, and then determine the unacceptable risks.)
3. Perform the risk treatment. (For unacceptable risks, you define how to handle those risks.)
4. Write the Statement of Applicability (SoA). (You list all the controls that are going to be used to decrease those unacceptable risks.)
5. Write the Risk Treatment Plan. (Define when and by whom the controls will be implemented.)

Examples:
The whole process could look like this (for one risk):
1. You define the methodology, where you:
- assess the risks by listing assets, vulnerabilities, and threats
- assess the impact and likelihood, using a scale of 0 to 2 (meaning Low - Medium - High)
- calculate the level of risk by adding the values of impact and likelihood, meaning risks could be valued from 0 to 4
- acceptable level of risk is set to 2, meaning that risks of 3 and 4 are not acceptable
2. You identify the following risk: asset: laptop; vulnerability: inadequate backup; threat: loss of data; impact: 2, likelihood: 1; level of risk: 3.
3. In the risk treatment, you select the following control for treating the risk: A.8.13 Information backup.
4. In the Statement of Applicability, you declare the control A.8.13 Information backup as applicable, with the justification of the risk identified in step #2.
5. In the Risk Treatment Plan, for the backup control, you define a deadline of two months for implementation, with a budget of $1000, and you nominate the head of IT to be in charge of the implementation.