We have a question for you on 4.; what is the best way to address this requirement, should we add this verbiage to our 05 risk assessment and risk treatment methodology document (like below) or should we create a separate table and/or document where we list action, who is responsible, timeframe for the items noted below. My original thought was to include these items in our risk assessment process but would be interested in your thoughts, thanks.
3.6 Organization and Context
The head of EOM Security and Compliance will be responsible for identifying any internal or external issues that could affect the intended outcome of the ISMS. Internal issues such as resources, training, data storage, organizational roles, tools, EOM software, system processes need to be captured and added to the Risk Assessment Table. External issues such as cloud providers, customers, the economy, technology, legislation, the environment, all need to be reviewed and added to the Risk Assessment Table if necessary.