8.3 Tratamiento de los riesgos de seguridad de información
Assign topic to the user
>1 - At this point in the standard, is there any format that should be followed to document the implementation of the risk treatment plan?
Answer: ISO 27001 does not prescribe any format for the risk treatment plan, so you can develop the document in the format that best fits your organization's needs. To see how a risk treatment plan looks like I suggest you to take a look a the free demo of our Risk Treatment Table template at this link: https://advisera.com/27001academy/documentation/risk-treatment-plan/
This material will provide you more information:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
>2 - If there is a project identified in the risk treatment plan to mitigate a series of risks, could the security committee later decide that the risk is accepted and that project is not implemented? or that would be a non-conformity since the accepted risk or "risk appetite" obliges us to treat this risk wit h the project identified in the treatment plan.
Answer: You can change the status of any action in the risk treatment plan at any time. You only have to take care to keep evidences of the decisions made to change the risk treatment plan and to record the newly accepted risks in the risk assessment table.
Comment as guest or Sign in
Aug 30, 2018