Controls identification
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer: First it is important to understand that controls are not part of the risk assessment step in the risk management process. In the risk assessment the main output is the valuation of the risk (either in a quantitative or qualitative form). Controls are part of the risk treatment, identified after you define that a risk needs to be mitigated by implementing one or more controls.
This material will provide you further explanation about risk assessment and treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/ in-english/
Considering that, although ISO 27001 clause 6.1.3 b) (which covers Information security risk treatment) only requires that controls are determined, if you do not use numbering it will be more difficult to track them in the process, because this clause also requires the controls from Annex A to be taken into account in the controls selection and in the elaboration of the Statement of Applicability, and the controls of Annex A are identified by numbers.
So, the main point is - you do not need to use control numbers in risk treatment, but this will make your job much harder.
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 24, 2018