SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and treatment report
I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?
In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?
Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.
-
Risk assessment report
I already had a question about chapter 3.3 inside the report on risk assessment and risk treatment a few weeks ago. It was about the final reports where you explained to me that it relates to risk assessment and risk treatment. But I still don’t know which documents are meant when it comes to these final reports and the exact time period when they were created. I have a period of time when I did the risk assessment and risk treatment. But the final reports I don’t know what’s meant with that. It would be great if you could help me with this.