ISO 27001 Clause 8.2 – Information security risk assessment

The basics

ISO 27001 sub-clause 8.2 is called “Information security risk assessment” — this is a short sub-clause and it requires risk assessments to be performed at planned intervals or according to the criteria defined in the Risk Assessment Methodology.

Documentation

ISO 27001 clause 8.2 Information security risk assessment requires writing the following documents:

List of risks
For each unacceptable risk – the definition of risk treatment options and related security controls
Risk Assessment and Treatment Report

Implementation

To implement ISO 27001 clause 8.2 Information security risk assessment, you need to perform risk assessments at planned intervals or according to the criteria defined in the Risk Assessment Methodology

Audit evidence

The auditor will look for evidence that the information security risk assessment is performed at planned intervals or when significant changes are proposed or occur.

Products by framework:

By Type

Where to Start

Other

Solutions for industries:

Dejan Kosutic

Products

Resources

Standards & Regulations

Advisera

Help