1 - Dear Dejan, thanks for the comprehensive answers. One question I have though:
Do the risk treatments have to be directly linked to a security control?
Example: Asset desktop computer, Threat Intrusion, Vulnerability “Inadequate level of knowledge” links to security control ” 7 Training and awareness”?
At the moment we have linked to a policy which should be read by every employee how to handle it.
2 - to extend my question:
and shall we, in addition, add the “Statement of Applicability” to each control, for which assets they are applicable? But a consequence will be, that for instance “training and awareness” is applicable for all assets.
Assign topic to the user
1 - Dear Dejan, thanks for the comprehensive answers. One question I have though:
Do the risk treatments have to be directly linked to a security control?
Example: Asset desktop computer, Threat Intrusion, Vulnerability “Inadequate level of knowledge” links to security control ” 7 Training and awareness”?
At the moment we have linked to a policy which should be read by every employee how to handle it.
Answer: Considering common risk treatment options (i.e, mitigate the risk, avoid the risk, accept the risk, and transfer the risk), if you decide to mitigate or transfer the risk, then you need to choose one or more controls to decrease the risk to acceptable levels. If you decide to avoid or accept the risk, then you do not need to define any control to it.
For further information see:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
2 - to extend my question:
and shall we, in addition, add the “Statement of Applicability” to each control, for which assets they are applicable? But a consequence will be, that for instance “training and awareness” is applicable for all assets.
Answer: If I understood correctly, you want to know if in the Statement of Applicability, for each control, you need to inform for which assets each control is applicable.
Considering that, ISO 27001 does not prescribe to include information about assets in the Statement of Applicability. You only need to define justifications for applicability, or non applicability, and the controls' implementation status (other information can be included, but related assets are not commonly used, because it would turn the document unnecessarily complex to read and manage).
This article will provide you a further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Jul 23, 2020