Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Beginner
Hi, I currently work for a care company in the UK and I've been asked to research about ISO 27001 and how to apply it to the IT industry. I don't really know where to begin, and could use some help. I have been asked to do audits and risk assesments. What I'm asking for is a beginers guide here and someone to point me in the right direction for this. Any help is appriciated. -
Risk assessment and treatment report
I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?
In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?
Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.
-
Creating risks list
Oye tengo una gran duda con unos templates que compre con ustedes para Risk Assessment, en los videos no muestran como crear la lista de Riesgos. Solo indica que primero hay que identificar los Activos, a través de las amenazas y vulnerabilidades pero no veo ningún template que muestre el resultado final después de haber identificado los Riesgos, estoy confundido. Me puede ayudar?
(Hey, I have a big question with some templates that I bought with you for Risk Assessment, in the videos they don't show how to create the list of Risks. It only indicates that the Assets must first be identified, through threats and vulnerabilities but I don't see any template that shows the final result after having identified the Risks, I am confused. Can you help me?)
-
Filling SoA
I already used risk ID's inside the SoA template and wrote down „Risk #8, #10, #38“ for example. I did it like Dejan’s video tutorial said. But control A.12.6.1 includes (in my opinion) almost any risks out of the risk assessment table and I would like to write a general statement for „reason for selection / exclusion“ instead of writing each risk ID down. Is this possible? I did it for some other controls inside the SoA already too.
-
Hybrid approach for risk assessment
Can we perform Hybrid approach (Service based & Asset based) risk assessment? Also, can we create the process /methodology document likewise?
-
Risk assessment report
I already had a question about chapter 3.3 inside the report on risk assessment and risk treatment a few weeks ago. It was about the final reports where you explained to me that it relates to risk assessment and risk treatment. But I still don’t know which documents are meant when it comes to these final reports and the exact time period when they were created. I have a period of time when I did the risk assessment and risk treatment. But the final reports I don’t know what’s meant with that. It would be great if you could help me with this. -
Work instructions & safety and risks
If you complete a work procedure instruction, do you have to complete a safe operating procedure and complete a risk assessment as well?