Transferred risks
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - El propietario del activo debe ademas aplicar controles sobre para mitigar este riesgo, o en l momento de transferir el riesgo, la aplicacion de los controles, desaparece?
2 - Puedo transferir el riesgo a un tercero y a la vez, decidir aplicar controles propios para estos servidores criticos?
(In the risk analysis, if it is decided to transfer the risk of some assets, to a third party, with whom there is a maintenance contract. For example, it is decided to transfer the risk of a very critical set of servers to the maintenance company.
1 - Should the owner of the asset also apply controls over to mitigate this risk, or at the time of transferring the risk, does the application of the controls disappear?
Answer: First it is important to note that if you adopt the option to transfer the risks, the application of controls does not disappear, only the implementation method changes from your own implementation to "implemented by third-party".
Considering that, once risks are transferred to the third-party, the asset owner should also consider the application of controls from section A.15.1 Information security in supplier relationships, to ensure the existence of contracts or agreements to enforce the proper treatment of the transferred risks.
For additional information, please read:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
2 - Can I transfer the risk to a third party and, at the same time, decide to apply my own controls for these critical servers?)
Answer: In theory you can do that, but it does not make much sense, since you are contracting someone just to protect your servers. Additionally, these paralleled applied controls may interfere with each other and reduce overall server security or performance.
Comment as guest or Sign in
Sep 07, 2019