Assign topic to the user
A couple of questions that the Attendees asked which was relevant in my situation because each company's scope is different and these were the following:
1Grouping hardware together such as Router or Switches instead of individually to make the impact and likelihood easier( Please correct if I'm wrong). On the contrary it might change because a Edge Router will have a different responsibility than a Access switch or an Distribution switch. Am I correct to say that it depends how I perceive these Assets and what impact it will have?
2The type of methodology to use etc. low, medium and high OR 1-5.1-10............Regarding to this question, I find it easier to use the numbering because the Risk can be calculated easier and Management attendance can be attracted more easily( Once again please correct me on this point).
The Treatment itself, is it advisable to implement a audit process for example quarterly to check on the progress of these devices that needs to be treated. What is your advice?
Answer:
A1: You are right. It is a b est practice to group assets, because for example you can have an asset Routers instead of a number of independent routers (all equals and with the same configuration). This approach will help you to reduce the number of assets in your inventory. You can group assets depending if they share threats/vulnerabilities and the risks are the same (based on impact and likelihood). So, from this point of view, if you have an Access switch that is different that a Distribution switch, you need 2 different assets in your inventory. This article about the asset inventory can be interesting for you How to handle Asset register (Asset inventory) according to ISO 27001 : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
A2: From my point of view, both approaches are ok for the standard, for some people is more easy to use numbers, and for other people is more easy to use names, but keep in mind that the important here is the methodology that you use to calculate the risk, which must be the same for the calculation of all risks, and you need to develop it in the easier way for your business. Do you know our Risk Assessment and Risk Treatment Methodology? It is also very easy, and you can see a free version clicking on Free Demo tab here Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/
Regarding your last question, you can perform tasks of reviewing periodically, depending of the deadline for the execution of the actions. For example, if the deadline for the implementation of a backup policy is 3 months, you can perform tasks of review each month. An audit process is more complex (if we talk about the internal audit), so you do not need to perform it to review the risk treatment, reviewing the actions planned and performed (Risk Treatment Plan) can be enough.
Finally, this article about the Risk Treatment Plan can be interesting for you Risk Treatment Plan and Risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Jan 12, 2016