Expert Advice Community

Guest

IT and Riscs

  Quote
Guest
Guest user Created:   Jul 09, 2020 Last commented:   Jul 10, 2020

IT and Riscs

Tenemos la siguiente duda para saber si con esto resolvemos

De parte de la gerencia de TI y Riegos.

1-La entidad ya dispone de un manual de análisis de riesgo integral. Como seria la integración con la metodología de evaluación de riesgos y tratamiento en seguridad de la información? Podría tener 2 manuales o se podría integrar 1 solo y agregar el acápite

2-La entidad ya dispone de manual de análisis de riesgos TI, pero esta diferente a la metodología que ustedes desarrollaron? Los riesgos de TI serian diferentes a los riesgos de seguridad de la información, se podrían tener 2 manuales diferente o integrar y unificarlo con el documento de advisera?

Nota: Las dudas son básicamente a que si las áreas de tecnologia y riesgos integral tienen una parte de contenido de sus metodología pero la integración o el uso de los manuales con advisera como seria que no afecte las documentaciones actuales

Yo laboro para el área de seguridad y ciberseguridad soy el oficial a cargo pero no quiero tener conflictos con esas dos áreas las cuales siguen unas metodologías que no son 100% iso27001 aunque tenga elementos o algunos.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 09, 2020

The entity already has a comprehensive risk analysis manual. What would be the integration with the methodology of information security risk assessment and treatment? It could have 2 manuals or 1 could be integrated and add the section

ISO 27001 does not prescribe how to document the adopted risk management approach, but it also requires the risk assessment to "produce consistent, valid, and comparable results".

Considering that, even though having a single or separate manuals is acceptable, it would be much better to have one document only that explains the approach/methodology for risk assessment and treatment (i.e., a single place where you can find all information about risk management).

ISO 27001 does not prescribe how to document the adopted risk management approach, but it also requires the risk assessment to "produce consistent, valid, and comparable results".

Considering that, even though having a single or separated manuals is acceptable, it would be much better to have one document only that explains the approach/methodology for risk assessment and treatment (i.e., a single place where you can find all information about risk management).

ISO 27001 does not prescribe an approach for information security risk management, only requires one to be defined.

Considering that, if the current organization's methodology complies with ISO 27001 requirements, you do not need to use the methodology provided in the toolkit (you only will need to adjust the documents to refer to your current methodology as necessary).

Quote
0 0
Guest
Fraiman Jul 10, 2020

Excellent answer i got it 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 09, 2020

Jul 10, 2020

Suggested Topics

Guest user Created:   Jul 27, 2021 ISO 27001 & 22301
Replies: 1
0 0

Smart devices

Atul Kamat Created:   Jul 26, 2021 ISO 27001 & 22301
Replies: 4
0 0

Incident Management

Kamil Created:   Jul 22, 2021 ISO 27001 & 22301
Replies: 2
0 0

Risk owner problem