Please select user.
There are no topics yet.
I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too?
You told me that listing the consequences inside the Asset Inventory comes out of the Risk Assessment Table and isn’t mandatory (but best practice). So far I totally got it and it makes more sense as the comment says before. But here is the thing: If I take the asset "top management" for example, I have for one asset different consequences inside the Risk Assessment Table, cause I have more than one vulnerability and threat. One asset with two different consequence-levels. The Asset Inventory consists of the asset „top management“ but needs just one consequence-level, right(?) Or shall I put both consequence-levels for one asset inside the Asset Inventory?