There are no topics yet.
I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?
In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?
Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.
I already had a question about chapter 3.3 inside the report on risk assessment and risk treatment a few weeks ago. It was about the final reports where you explained to me that it relates to risk assessment and risk treatment. But I still don’t know which documents are meant when it comes to these final reports and the exact time period when they were created. I have a period of time when I did the risk assessment and risk treatment. But the final reports I don’t know what’s meant with that. It would be great if you could help me with this.