Aabout risk methodology must be include cost of implementation of controls. do you have any idea? About that implementation
Answer:
I suppose that your question is related to the risk treatment plan, if so, it is not strictly necessary that you include costs related to the implementation of security controls (it is not established in the ISO 27001:2013), although can be a best practice.
Anyway, the cost of the implementation of controls can depend of various parameters, for example: costs of human resources (internal or external), costs of services (internal or external), costs of equipment, etc.
This article about the risk treatment plan can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And maybe can be useful for you ours templates for the risk treatment plan (you can see a free version clicking on Free Demo tab) Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/ and also can be interesting for you our risk assessment and risk treatment methodology Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
Comment as guest or Sign in
Jan 13, 2016