Guest
Risk treatment plan
If we have identified a control in the SoA that is a legal requirement or a management decision to implement, can I document the associqated tasks in the RTP or should I create a seperate spreadsheet to handle these?
Assign topic to the user
Expert
Rhand Leal
Apr 21, 2020
ISO 27001 does not prescribe how to document the Risk Treatment Plan, so both approaches (single or separated plans) are acceptable for certification purposes. You can keep all tasks related to risk treatment plan in a single document.
For further information, see:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Apr 17, 2020
Apr 21, 2020
Apr 21, 2020