Risk assessment information
Assign topic to the user
1- job title of the person responsible for the Risk treatment plan ?
2- Can we give ISMS Project Manager and Internal Auditor* the right to make entries into and changes to the Statement of Applicability?
Note : Give the right for internal auditor will be after internal audit procedure to keep records of SoA updated.
Answer: The person responsible for the ISMS can also be designated to be responsible for the overall Risk Treatment Plan, but you should note that for each action in the plan there also have to be a designated person, that can be different from the responsible for the overall plan (usually they can be either the risk owner or the person responsible for the control being implemented).
The ISMS Project Manager can have access to make entries and changes to the Statement of Applicability during the project implement ation, but any modification in the SoA must be previously approved by Top Management before publication.
Normally the internal auditor cannot have editing access to the SoA (his activities only require him to evaluate the document). Any changes due to results of an audit must be performed by the person responsible for the SoA (generally the person responsible for the ISMS).
These articles will provide you further explanation about risk treatment plan:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
This material will also help you regarding risk treatment plan:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 23, 2018