Expert Advice Community

Guest

Checking information on significant residual risks

  Quote
Guest
Guest user Created:   Jul 27, 2017 Last commented:   Jul 27, 2017

Checking information on significant residual risks

1 - Explain how to check that information on significant residual risks is provided to the appropriate people?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 27, 2017

Answer: The records you should look for regarding acceptance of the residual information security risks are the information security risk treatment plan approval (regarding clause 6.1.3.f) and the records of management reviews (clause 9.3.e).

From the risk treatment plan you will know who are the risk owners and this will be your reference to check if each one of them approved the risk treatment plan and was informed about the results of management reviews.

For more information, see: Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

2 - Explain how to utilize opportunities to promote the implement of the risk reduction methods and procedures?

Answer: In general, you can justify that by implementing risk reduction methods and procedures an organization can take advantage of opportunities more easily. For example, opportunities to reduce cost are by reducing in surance related costs and costs of incidents, and both can be achieved by implementing risk reduction methods and procedures.

Another example of opportunity is to win new customers, by offering improved information security as a feature.
For more information, see: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/

3 - Explain how to record the risk reduction methods and procedures in the appropriate information systems?

Answer: According ISO 27001, the mandatory records and documents an organization has to keep to evidence the performing of risk assessment and risk treatment processes are:
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)

This article will provide you further explanation about ISO 27001 documented information:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

These materials will also help you regarding your questions:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 27, 2017

Jul 27, 2017

Suggested Topics