ISO 27001 Clause 8.2 is all about keeping your company’s information safe. It asks you to do a risk assessment. This means you look at your business and find out what could go wrong with your data. The goal is to find risks so you can fix them.
What Is a Risk Assessment?
A risk assessment is a process to find, look at, and understand risks. In simple terms, it’s about finding out what could harm your data and how bad that harm would be. The rule says you must do this process. You must also write down how you do it.
How to Do It
- Find the Risks: Look for things that could harm your information. This includes things like fires, hackers, or a lost laptop.
- Look at the Risks: Once you find a risk, you must see how likely it is and how much damage it could cause.
- Choose What to Do: Decide what to do about each risk. You can accept it, get rid of it, or find a way to make it less likely to happen.
What an Auditor Checks
An auditor will want to see that you did a risk assessment. They will check if your process is well-made and if you followed it. They will also look at your records to see that you wrote everything down.
Common Questions
How often should I do a risk assessment?
You should do a risk assessment when you make big changes to your company. You should also do one at least once a year.
Do I have to write down my risk assessment?
Yes, you must write down your risk assessment. This is called documented information.
How is this different from a risk treatment?
A risk assessment is about finding and looking at risks. Risk treatment is about choosing what to do about them.