ISO 27001 implementation
1.Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.
i.e.
Software tools that may contain PII and/or confidential information
Software tools that do not contain PII and/or confidential information
And do they need to be separated by whether they are run on premises only or in the cloud?
Or, do I need to put:
Salesforce.com
Microsoft Office,
etc and list all threats/vulnerabilities of each? We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.
2. Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.
3. When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.
4. Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.
i.e.
Software tools that may contain PII and/or confidential information
Software tools that do not contain PII and/or confidential informationAnd do they need to be separated by whether they are run on premises only or in the cloud?
Or, do I need to put:
Salesforce.com
Microsoft Office,
etc and list all threats/vulnerabilities of each? We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.
You don't have to fill in each and every software license separately - you can just specify that you have a class called "software licenses" and associate to it the threats and vulnerabilities common to all of them. In case you have threats and vulnerabilities related to a specific software license, then you can list that software license separately for that set of threats and vulnerabilities.
For further information, see:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.
There is no definitive document we can recommend, since, for each organization, the applicable controls may vary according to the organization's risk tolerance and results of risk assessment (for the same vulnerability one or more controls may be applicable). Additionally, such documents may mislead organizations while implementing their own practices, because they may understand that these are the solution for their risk, without considering their own organizational context.
These materials will also help you regarding risk treatment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.
Your understanding is correct. When you perform a risk assessment, you need to consider the risk values including the effects of implemented controls. You only need to ensure that the information about the implemented controls are also documented in the risk assessment.
Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?
Octave or other approaches for identifying risks are not needed. You can ask your asset owners to simply identify threats/vulnerabilities that can affect their assets based in the catalog of threats/vulnerabilities included in the Risk Assessment Table, located on the folder 10 Risk Assessment and Risk Treatment.
For further information, see:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities: https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Comment as guest or Sign in
Jun 23, 2020