Expert Advice Community

Guest

How do I handle the risk of control?

  Quote
Guest
Guest user Created:   Jul 07, 2020 Last commented:   Jul 07, 2020

How do I handle the risk of control?

1. How does one put in the risk/control of the asset?

I have read your website in terms of implementation isms for iso27001.

First I have classified my assets, label them, checked the risk of each.

Now how will this relate to the iso controls?

That I don't understand is that the iso has annex, controls and some questions (or advice)
Because... let me take an example of an annex
Ok, let's say employees are also an asset. So  taking the annex 7.2.2
"Information security awareness, education and training"

Objective
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?

2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?

3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 07, 2020

1. How does one put in the risk/control of the asset?

I have read your website in terms of implementation isms for iso27001.

First I have classified my assets, label them, checked the risk of each.

Now how will this relate to the iso controls?

That I don't understand is that the iso has annex, controls and some questions (or advice)
Because... let me take an example of an annex
Ok, let's say employees are also an asset. So  taking the annex 7.2.2
"Information security awareness, education and training"

Objective
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?

I'm understanding that you want to clarify how controls from ISO 27001 Annex A are linked to identified risks.

Considering that, you need to identify which control's requirements best treat the risk you want to mitigate.

In your example, you only identified the asset (employees), but let's say one identified risk is that "New employee shared his/her password because he was unaware of corporate policies". From this risk statement, you can see that the control 7.2.2 can be used to treat this risk.

For further information see:

This material can also help you understand how to link risks to controls:

2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?

ISO 27001 requires a definition of a risk assessment approach to identify and analyze risks (clause 6.1.3), so this table will help fulfill this requirement (without a defined approach an organization cannot be certified against ISO 27001).

3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?

I'm sorry, but without information about the risks, it is not possible to provide information about which controls can be applied.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 07, 2020

Jul 07, 2020

Suggested Topics

Guest user Created:   Jul 24, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question on Document review

Guest user Created:   Sep 16, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk register