Hello,
We are using Conformio for our ISO 27001 program, and I have a question about completing the risk register. I'm at the risk treatment phase, and I'm starting to think I may have had the wrong idea about how use the risk register.
We have a mature security culture, and we have many controls already in place. When I went through the risk scoring process, I scored the likelihood based on the controls we already have in place. So, in many cases, the likelihood was low or medium based on the presence of multiple existing controls.
I only scored the likelihood as high where we don’t have adequate controls already in place. Then, I worked through the “unacceptable” risks in the treatment phase.
The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?
We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase. It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks. I don’t want to fail the audit, however.
Also, will this affect the Statement Of Applicability?
Assign topic to the user
1 - The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?
We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase. It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks. I don’t want to fail the audit, however.
Answer: The Risk assessment needs to be performed considering existing controls, so your assessment was performed correctly. You can use the comment field in the risk register to inform which controls are already implemented to treat that risk. As a tip, you should include information in terms of controls of Annex A.
2 - Also, will this affect the Statement Of Applicability?
Answer: About the SoA, you need to review it to include manually for each control the reference to each risk treated by it in the initial assessment.
For example, if a hypothetical risk #32, related to service disruption, is assessed as low risk because you already have implemented a contingency plan to treat it, then you need to include:
- in the comment in risk #32 the information about this implemented contingency plan
- in the SoA this risk #32 as a justification to implement control A.5.29 (Information security during disruption)
Comment as guest or Sign in
Dec 27, 2022