CAR, PAR, Security control
Assign topic to the user
First is important to note that in the context of ISO 27001 preventive actions are not required (the word preventive neither appears in the standard). Preventive actions were superseded by clause 6.1 - Actions to address risks and opportunities, which basically involves risk management. So, for this standard what you could see as similar to the preventive action report is the Risk Treatment Plan, which defined actions, responsible, resources and deadlines to treat risk considered unacceptable.
Second, the standard does not require a Corrective Action Report, only that, if needed, corrective actions are implemented and evidences of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action are retained.
Considering that, to answer your question, a risk treatment plan is used to minimize chance of a risk to happen, or its impact, while corrective actions are used when the risk has already occurred.
These articles will provide you more information about risk management and corrective actions:
- SO 27001 risk assessment & t reatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
Hi,
so this scenario could then be possible for me:
1. Making the Risk Assessment
2. Choosing Controls (ISO 27001 and Own Controls)
3. Handling the implementation of this controls (Risk Treatment plan) over P.A.R
4. Choosing C.A.Rs as result from security threats, audits etc.
I'm understanding that in your context the P.A.R./C.A.R. is considered relevant and/or mandatory to be used, regardless of the ISO 27001 requirements.
If this is the case, then you can use the PAR to handle the implementation of the controls (it will be your Risk Treatment Plan).
The CAR can be used to handle security incidents or non conformances identified in audits, but not security threats (if the threat did not occur you should use the PAR).
Again it is important to note that CAR and PAR documents are not required by ISO 27001 and this approach works as a mean to integrate ISO 27001 practices to your working framework.
Comment as guest or Sign in
May 11, 2018