Assign topic to the user
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now 
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now
ISO 27001 RISK TREATMENT PLAN
Determine responsibilities for the implementation of controls.
Get it now
Is it possible NOT to provide employees with laptops and antivirus solutions. Our employees use their own laptops.
Our employees use windows defender. But we can not control if antivirus is on. We can not control if antivirus is updated and scheduled to perform period scans. So, we do not have any control and evidence. What are the options for us?
Answer:
ISO 27001 does not specify who should be the owner of the laptops or which kind of anti-virus software you should use - key point in ISO 27001 is how you deal with risks.
So if your risk assessment says that the risks to those laptops are acceptable even if you do not control the AV software, then you can leave the system as it is; if the risk is not acceptable, then you can require the users to install some kind of AV software where you can control how it operates.
This article will help you more with how to handle risks: The basic logic of ISO 27001: How does information sec urity work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Apr 15, 2019