6.1.2 The organization shall define and apply an information risk assessment process that: c) identifies the information security risks
1) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for Information within the scope of the information security management system
This is the only clause in the ISO 27001 which I absolutely do not understand. Could you be so kind and give me a hint or explanation in ‘ human English ‘ 😄. My problem is that, for internal auditing purposes, I want to draft some ‘ audit-questions ' with reference to this clause but as I do not understand that ‘ beyond human imagination english of the ISO-guys ‘ I don’t manage to formulate the right audit question(s) with reference to subclause 6.1.2.c.1.
Translating this clause to plain English, what you should question is:
1 - were information security risks identified?; and
2 - are the identified information s ecurity risks related to the information your organization want to protect?
- if you do not find a Risk Assessment Table, or similar document, then you would have a non-compliance here, since there is no evidence that risks related to the ISMS scope were identified.
- if you find a Risk Assessment Table with risks related to a software development process, and your ISMS scope is about your Customer Management process, then you would have a non-compliance here, since the identified risks are not related to the defined ISMS.
By the way, included in your toolkit there is an Internal Audit Checklist where you can find questions which cover clause 6.1.2.