ISO 27001:2022 Your Risk Assessment Identified Risks. It Should Have Identified Risk Scenarios. The Difference Determines Whether Your SoA is Defensible or Decorative.
Most ISO 27001 risk assessments produce generic risk lists. This blog explains why the standard requires scenario-based, CIA-driven risk modelling for defensible ISMS implementation.