I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?
In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?
Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.
Oye tengo una gran duda con unos templates que compre con ustedes para Risk Assessment, en los videos no muestran como crear la lista de Riesgos. Solo indica que primero hay que identificar los Activos, a través de las amenazas y vulnerabilidades pero no veo ningún template que muestre el resultado final después de haber identificado los Riesgos, estoy confundido. Me puede ayudar?
(Hey, I have a big question with some templates that I bought with you for Risk Assessment, in the videos they don't show how to create the list of Risks. It only indicates that the Assets must first be identified, through threats and vulnerabilities but I don't see any template that shows the final result after having identified the Risks, I am confused. Can you help me?)
I already used risk ID's inside the SoA template and wrote down „Risk #8, #10, #38“ for example. I did it like Dejan’s video tutorial said. But control A.12.6.1 includes (in my opinion) almost any risks out of the risk assessment table and I would like to write a general statement for „reason for selection / exclusion“ instead of writing each risk ID down. Is this possible? I did it for some other controls inside the SoA already too.
Can we perform Hybrid approach (Service based & Asset based) risk assessment? Also, can we create the process /methodology document likewise?
If you complete a work procedure instruction, do you have to complete a safe operating procedure and complete a risk assessment as well?