Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

ISO 27001 Risk Management

Id like to ask a question about risk management process in ISO 27001. During risk management process; we determine risks, analyze their impact and likelihood, choose a risk treatment option and at last choose a control against that risk.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

The problem is: is it necessary to be a clear link between a particular risk and a particular Annex A control? I mean; each Annex A control (if we choose to implement it) can be tracked down to a particular risk? And if its the case, then what kind of risks lead us to controls such as A.5.1.1, A.5.1.2?

Answer:

Yes, it is necessary to link particular risks with controls from Annex A because you have to show this relationship in the Statement of Applicability (clause 6.1.3 d) - you have to provide justification for inclusions of particular controls.

Regarding A.5.1.1 (Policies for information security) - basically you can select this control for any risk that is related to organizational issues; A.5.1.2 (Review of the policies for information security) - you can select this control whenever you have a risk related to documentation that is not updated.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community