Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Can the risk be accepted and the control not applied?

We are in the initial stages of obtaining our ISO-27001 certification and in doing so we are up to the Pre-certification step. During the pre-certification we reviewed our Statement of Applicability and in particular our Out-of-Scope controls. One control that was found to be a low risk during the Risk Assessment and senior management has agreed to accept the residual risk; and we determined it be out of scope, is being demanded by the auditor to be in-scope. Is that permitted? Based on our scope and boundaries as well as documented exclusions, the control does not come into play. Im trying to gather some additional information on the determination of in-scope vs. out-of-scope.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: You shouldn't mix the terms here - the ISMS scope refers to which information you are protecting and which information is not protected (it is out of the scope); within the ISMS scope you can decide which controls to apply and which not to apply.

To answer your question - if you have identified a risk which is low and decided to accept it and not to apply the related control, this is something you are allowed to do. The certification auditor shouldn't object to that, but the auditor can object if you didn't take into account all the vulnerabilities and threats, and if you didn't apply the assessment scale systematically. From my own experience, companies very often bend their own risk assessment approach in order to avoid certain controls - this is what the certification auditors are allergic about.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community