Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

CAR, PAR, Security control

  Quote
Guest
ralphkapunkt Created:   May 02, 2018 Last commented:   May 05, 2018

CAR, PAR, Security control

Hi, we have done a Risk Assessment and we are now in the process of choosing security controls. We are using security controls which align with industry standard like ISO 27001 and we are also choosing controls which were individual designed by us and fits to our company. In this context what is the difference between C.A.R/P.A.R and these security control? From my understanding if a control is not implemented yet, we can make some kind a project plan to fullfil our controls. But as I also understand we can create a C.A.R to implement these controls or?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 05, 2018

First is important to note that in the context of ISO 27001 preventive actions are not required (the word preventive neither appears in the standard). Preventive actions were superseded by clause 6.1 - Actions to address risks and opportunities, which basically involves risk management. So, for this standard what you could see as similar to the preventive action report is the Risk Treatment Plan, which defined actions, responsible, resources and deadlines to treat risk considered unacceptable.

Second, the standard does not require a Corrective Action Report, only that, if needed, corrective actions are implemented and evidences of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action are retained.
Considering that, to answer your question, a risk treatment plan is used to minimize chance of a risk to happen, or its impact, while corrective actions are used when the risk has already occurred.

These articles will provide you more information about risk management and corrective actions:
- SO 27001 risk assessment & t reatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

Quote
0 0
Guest
ralphkapunkt May 07, 2018

Hi,
so this scenario could then be possible for me:
1. Making the Risk Assessment
2. Choosing Controls (ISO 27001 and Own Controls)
3. Handling the implementation of this controls (Risk Treatment plan) over P.A.R
4. Choosing C.A.Rs as result from security threats, audits etc.

Quote
0 0
Expert
Rhand Leal May 11, 2018

I'm understanding that in your context the P.A.R./C.A.R. is considered relevant and/or mandatory to be used, regardless of the ISO 27001 requirements.

If this is the case, then you can use the PAR to handle the implementation of the controls (it will be your Risk Treatment Plan).

The CAR can be used to handle security incidents or non conformances identified in audits, but not security threats (if the threat did not occur you should use the PAR).

Again it is important to note that CAR and PAR documents are not required by ISO 27001 and this approach works as a mean to integrate ISO 27001 practices to your working framework.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 02, 2018

May 11, 2018