SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling SoA justification
I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too? -
Filling asset inventory
You told me that listing the consequences inside the Asset Inventory comes out of the Risk Assessment Table and isn’t mandatory (but best practice). So far I totally got it and it makes more sense as the comment says before. But here is the thing: If I take the asset "top management" for example, I have for one asset different consequences inside the Risk Assessment Table, cause I have more than one vulnerability and threat. One asset with two different consequence-levels. The Asset Inventory consists of the asset „top management“ but needs just one consequence-level, right(?) Or shall I put both consequence-levels for one asset inside the Asset Inventory?