Guest user Created: Jun 09, 2016 Last commented: Jun 09, 2016

Budgeting the selected controls

I have noticed that none of the mentioned documents or phases of the ISMS implementation process (for instance the risk assessment plan) are mentioning the creation of a document with budgets needed for the selected controls. At a point the CEO should receive a final document for approval of the controls and respectively the budgets for the acquisition. What does the best practice say about it?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 09, 2016

Answer:

Actually, clause 6.2 of ISO 27001 requires creation of a plan which will include what resources will be required for the implementation of controls - this also includes the planning of financial resources.

We have included this financial planning in our Risk treatment plan, you can see how the template looks like here: https://advisera.com/27001academy/documentation/risk-treatment-plan/

This article may also help you: Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Quote

0 0

Guest

diorelaprisacaru Jun 09, 2016

Thank you for the answer Dejan. Can it alternatively be documented separately if the client considers this is more convenient?

Quote

0 0

Expert

Dejan Kosutic Jun 10, 2016

Sure, you can document the budget separately, but then you have to refer to that budget from your Risk treatment plan.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 08, 2016

Jun 10, 2016

Expert Advice Community