Expert Advice Community

Guest

ISO 27001 certification

  Quote
Guest
Guest user Created:   Jan 21, 2023 Last commented:   Jan 21, 2023

ISO 27001 certification

My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.

a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

c) What is your recommendation?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 21, 2023

a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

First of all, sorry for this confusion.

This message is intended for companies that are implementing ISO 27001 for the first time. Since you already have implemented controls that reduce risks to an acceptable level, you do not need to include additional risks if you do not need to.

However, security risks are evolving very quickly, so it is likely that you do have some unacceptable risks that you did not record previously. It is recommended that you try to identify these new risks.

b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

Please note that risk treatment actions are needed only in case you have relevant risks to treat or want to make changes in existing controls (e.g., to update technologies or include improvements).

Since it is likely that your company is facing some new risks, the certification auditor will want to see if you managed to identify them. If you can convince the auditor that there are certainly no new risks, then you will pass the surveillance audit.

 c) What is your recommendation?

In your situation, recommendations are:

  • Regarding risk assessment, take this opportunity to review your risk assessment, because after the last assessment new risks may have risen that may require treatment
  • Regarding risk treatment actions, in case you do not have relevant risks to treat, try to look for improvement opportunities in implemented controls and document them as risk treatment actions. This will show the auditor a greater level of maturity of your ISMS.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 21, 2023

Jan 21, 2023