Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Filling out the Treatment Table

  Quote
Guest
Guest user Created:   Dec 14, 2018 Last commented:   Dec 14, 2018

Filling out the Treatment Table

When filling out the Treatment Table there are the columns Selection of Options and Means of Implementation. Both offer a selection of inputs. Is it mandatory to use these selections or can you use some other inputs that are not in the selection table? For instance can I add Other measures tot the "Selection of Options" and "Scan all documents to be stored on secure NAS, Destroy all physical documents".
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 14, 2018

Not all solutions to the threats are in Annex A. If a choice from Annex A is made it still not clear what is actually being done.

Answer:

The selections presented on each column are not definitive, so you can add additional inputs if you consider this is needed for your organization. This tutorial can guide you on editing the drop down lists: https://support.office.com/en-us/article/add-or-remove-items-from-a-drop-down-list-0b26d3d1-3c4d-41f5-adb4-0addb82e8d2c

But it is important to mention that "Scan all documents to be stored on secure NAS, Destroy all physical documents" is an example of implementation of controls A.8.2.3 Handling of assets, so in principle there is no need to add your example as mean of implementation.

This article can provide you further information about handling information: Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Quote
0 0
Guest
tkiers Dec 14, 2018
This answers the first part of my question. The second part maybe wasn't comprhensive enough.

When completing the Risk Treatment Table. You have to think about how you are going to treat a particular risk. Next you have to choose a related control from ISO 27001 Annex A. This choice however does not clarify the specific action that you are going to take in the form of adapting one of the toolbox documents or maybe writing a specific work instruction (like scan and destroy all phisical documents).

When I have to think about a solution to a threat I want to be able to describe this solution and not to have to come back to that specific threat in de treatment table to think about the problem for a second time. The Treatment Table only allows me to choose related Annex A items but does not allow me to describe a specific action in more detail.
Quote
0 0
Expert
Rhand Leal Dec 17, 2018
First of all thanks for the clarification about your doubt.

In fact for the purpose you described, the Risk Treatment Plan is not the proper document. As you said, it describes the general solution for risk. For recording more detailed information you can use the Statement of Applicability template. In this template you have a column called "Implementation method ", where you can describe the solution for a control (covering all risks and legal requirements related to that control), or make reference to documents (e.g., policy, procedure, or work instruction) describing the adopted solution.

This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 14, 2018

Dec 17, 2018

Suggested Topics

Guest user Created:   Dec 06, 2017 ISO 27001 & 22301
Replies: 1
0 0

Filling Risk Treatment Table

Guest user Created:   Dec 19, 2019 ISO 27001 & 22301
Replies: 1
0 0

Context document

Guest user Created:   Mar 31, 2019 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content