Risk rating
Definition
A classification of a finding's severity, typically Critical, High, Medium, Low, or Informational, derived from a likelihood-by-impact matrix. The rating determines remediation priority and timeline. It must be justified in the finding, not merely asserted.
Related terms
- Executive summary
- The opening section of an audit report written for non-technical leadership. It states the audit scope, overall posture, the most material findings...
- Finding
- A discrete, evidence-backed statement that a specific control is absent, misconfigured, or insufficient. Each finding contains an issue statement, evidence, risk rating,...
- Management response
- The audited organisation's formal reply to each finding, included in the report. It states whether the recommendation is accepted, rejected, or accepted...
- Nonconformity
- The ISO 27001 term for a finding that represents a failure to meet a requirement of the standard or the organisation's own...
- Observation
- A noted issue or improvement opportunity that does not constitute a formal finding because it lacks sufficient evidence or does not violate...
Explained in
- Audit Report Structure and Communicating FindingsA classification of a finding's severity, typically Critical, High, Medium, Low, or Informational, derived from a likelihood-by-impact matrix. The rating deter...