How to treat risk with own control?
Can you please tell me how we can treat a risk in the risk register with an own security control (not one of the controls of Annex A)?
Assign topic to the user
I'm assuming that this question is about Conformio.
Considering that, first of all, we are sorry for this situation.
At this moment it is not possible to include other sources of controls besides ISO 27001 Annex A in the risk register, because large majority of companies do not find it necessary to add controls not listed in Annex A.
ISO 27001 Annex A is a comprehensive set of controls, and if we know which control you are planning to use, we may be able to link to an equivalent control from ISO 27001 Annex A.
In case there is no possible relation to Annex A controls, a workaround would be for you to upload to Conformio document informing which risk (i.e., asset, vulnerability, threat, risk value) will be treated by controls not related to ISO 27001 Annex A, also stating the residual risk.
Comment as guest or Sign in
Mar 11, 2023