Conformio risk register

1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables?
Because I haven’t used the vulnerability-threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)?

Answer: The logic behind the Risk Register in Conformio is the same as the Risk Assessment and Risk Treatment Tables in the documentation toolkit:
- Identification of assets – vulnerabilities - threats
- definition of risk value (risk analysis
- definition of risk treatment option
- definition of applicable controls

You need to define controls for each set of “asset-vulnerability-threat”. You do not need to select controls specifically for vulnerabilities or threats, but in some cases, this approach is useful when a single control is not enough to reduce risk to acceptable levels.

Regarding already implemented controls, you need to take them into account when defining risk value, as well as record this information in the observation field of the risk.

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to use Conformio ISO 27001 risk assessment software https://advisera.com/conformio/blog/2021/06/27/how-to-use-conformio-iso-27001-risk-assessment-software/

2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only?

Answer: Currently version of Conformio only works with controls from ISO 27001 Annex A.

3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that?

Answer: Residual risk is automatically calculated by Conformio based on these criteria:
- number of applied controls
- a type of applied controls
- covered sections of Annex A controls

But you also can define the residual risk values manually during risk treatment step in the Risk Register, depending on the risk treatement options chosen.

Thank you for the answer.

1. When ISO 27001:2022 and ISO 27002:2022 changes are expected to show in Conformio?

2. What kind of actions the changes require from us?

3. SOA is changing when risks are reviewed, to my knowledge SOA should not have chages during certified period, how is this handeld?

4. Is there Risk Treatment Plan in Conformio or do you suppose to use Toolkits RTP?

Br,

Jan

1. When ISO 27001:2022 and ISO 27002:2022 changes are expected to show in Conformio?

Answer: Conformio will be updated shortly after the after the ISO 27001 is officially aligned with ISO 27002 changes.

For further information, see:
- 11 most important facts about changes in ISO 27001/ISO 27002 https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

2. What kind of actions the changes require from us?

Answer: Once the updated controls are in effect you will have to make certain changes in the Risk Register and Statement of Applicability as well as some documents. There will be guidance provided to make the transition easy and clear.

3. SOA is changing when risks are reviewed, to my knowledge SOA should not have changes during certified period, how is this handled?

Answer: Please note that the SoA is a living document, that can change during the certified period, either due to changes in the risk environment (e.g., when new risks arise or existent risks become bigger/smaller) or of legal requirements (e.g., a new law or contract with customer/supplier).

To handle changes in the SoA you can:
1 – Use Risk register to update risks or Register of requirements to update requirements
2 – Update the SoA itself regarding changes due to other business requirements.

For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/

4. Is there Risk Treatment Plan in Conformio or do you suppose to use Toolkits RTP?

Answer: The Risk Treatment is embedded in Conformio, and it is available after you conclude the development of the SoA.