Documentation of Results
Documentation of Results
Advanced Risk Management
0.0 Shifting from technical execution to strategic risk management.
0.0 Shifting from technical execution to strategic risk management.
1. Introduction to ISO/IEC 27005 and information security risk management
1. Introduction to ISO/IEC 27005 and information security risk management
2. Information Security Risk Identification, Assessment, and Treatment (ISO/IEC 27005)
2. Information Security Risk Identification, Assessment, and Treatment (ISO/IEC 27005)
Delayed 1 day
3 - Risk Acceptance, Communication, Monitoring and Review
3 - Risk Acceptance, Communication, Monitoring and Review
Delayed 2 days
4 - Risk Assessment Methodologies
4 - Risk Assessment Methodologies
Delayed 3 days
05 - ISO 27005 Risk Assessment Using FMEA
05 - ISO 27005 Risk Assessment Using FMEA
Delayed 4 days
While process documentation shows how the organisation analyses risk, the results documentation records the actual empirical outputs of those activities. As risk assessments need to be carried out at scheduled intervals or when significant changes happen, there must be an auditable timetable and supporting evidence that assessments were performed according to that schedule. If a proposed operational change triggers an assessment, the documentation must clearly state the nature of the change and the resulting variation in risk.
The documented results should be used to create a detailed and adaptable risk register. This register must include a list of all identified risks, their evaluated consequence and likelihood scores, and the final risk level. Each risk should be clearly assigned to a specific risk owner. Importantly, the documentation must also record the application of risk acceptance criteria—indicating whether each risk was considered acceptable or unacceptable—and the resulting order of priority for risk mitigation.
Beyond merely recording data points, best practices require meticulous documentation of the rationale behind risk decisions. By noting why a specific risk was accepted or why a particular control was chosen, the organisation creates a vital institutional memory. This allows the organisation to learn from past errors in judgment, understand the context of historical decisions during post-incident investigations, and support the continuous improvement of the ISMS.
For the risk treatment phase, the documentation of results concludes with the Risk Treatment Plan (RTP) and the Statement of Applicability (SoA). The SoA acts as the vital link between the theoretical risk assessment and the implemented ISMS, documenting exactly which ISO 27001 Annex A controls are necessary, the formal justification for their inclusion or exclusion, and their current implementation status. The documentation must ultimately demonstrate that the controls are actively functioning as intended to reduce the risk to an acceptable level.