Expert Advice Community

Guest

ISO 27001 Risk Assessment

  Quote
Guest
Guest user Created:   Jan 13, 2022 Last commented:   Jan 13, 2022

ISO 27001 Risk Assessment

We are currently working on our asset register and risk assessment for ISO 27001. One thing that we are a bit unsure of is the column "existing controls" in the risk assessment table and how existing controls affect the risk treatment and the SoA. 1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?) 2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 13, 2022

1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?)

“Existing controls” refers to controls that are currently implemented (i.e., documented, implemented as a process, as a technology, etc.), so it is not about “how secure does it need to be”, but “how secure it is” at the moment of the assessment.

For example, for a data loss risk, you can mention that you already have a backup solution implemented (e.g., a software solution).

2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? 

Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable.

If you already have a control implemented, identified during risk assessment, you need to identify this information in the SoA, reporting the associated control as implemented.

Considering the previous example, you need to report in the SoA that control A.12.3.1 Information Backup is applicable and its status is implemented.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2022

Jan 13, 2022

Suggested Topics