Guest user Created: Feb 01, 2022 Last commented: Feb 01, 2022

Annex A Controls in Conformio

1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.? 2. Is there a Tool JUST on Risk Assessment?

Tags: Product: Conformio

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 01, 2022

1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.?

Please note that organizing documents as you suggest only makes them more difficult to read and maintain.

Considering your example, instead of a single document defining how incident management is implemented you would have to keep seven independent documents.

Additionally, when you have a document that refers to controls from different sections (e.g., the Supplier Security Policy refers to controls from sections A.7, A.8., A.14, and A.15), reading and maintenance become even more difficult.

For further information, see:

How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

2. Is there a Tool JUST on Risk Assessment?

To perform just risk assessment we have the Risk Assessment Toolkit (https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/) which comprises of the following documents:

Risk Assessment and Risk Treatment Methodology
Risk Assessment Table
Risk Treatment Table
Risk Assessment and Treatment Report
Statement of Applicability
Risk Treatment Plan

This article will provide you a further explanation about risk assessment:

ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:

The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 01, 2022

Expert Advice Community