Tenemos la siguiente duda para saber si con esto resolvemos
De parte de la gerencia de TI y Riegos.
1-La entidad ya dispone de un manual de análisis de riesgo integral. Como seria la integración con la metodología de evaluación de riesgos y tratamiento en seguridad de la información? Podría tener 2 manuales o se podría integrar 1 solo y agregar el acápite
2-La entidad ya dispone de manual de análisis de riesgos TI, pero esta diferente a la metodología que ustedes desarrollaron? Los riesgos de TI serian diferentes a los riesgos de seguridad de la información, se podrían tener 2 manuales diferente o integrar y unificarlo con el documento de advisera?
Nota: Las dudas son básicamente a que si las áreas de tecnologia y riesgos integral tienen una parte de contenido de sus metodología pero la integración o el uso de los manuales con advisera como seria que no afecte las documentaciones actuales
Yo laboro para el área de seguridad y ciberseguridad soy el oficial a cargo pero no quiero tener conflictos con esas dos áreas las cuales siguen unas metodologías que no son 100% iso27001 aunque tenga elementos o algunos.
Assign topic to the user
The entity already has a comprehensive risk analysis manual. What would be the integration with the methodology of information security risk assessment and treatment? It could have 2 manuals or 1 could be integrated and add the section
ISO 27001 does not prescribe how to document the adopted risk management approach, but it also requires the risk assessment to "produce consistent, valid, and comparable results".
Considering that, even though having a single or separate manuals is acceptable, it would be much better to have one document only that explains the approach/methodology for risk assessment and treatment (i.e., a single place where you can find all information about risk management).
ISO 27001 does not prescribe how to document the adopted risk management approach, but it also requires the risk assessment to "produce consistent, valid, and comparable results".
Considering that, even though having a single or separated manuals is acceptable, it would be much better to have one document only that explains the approach/methodology for risk assessment and treatment (i.e., a single place where you can find all information about risk management).
ISO 27001 does not prescribe an approach for information security risk management, only requires one to be defined.
Considering that, if the current organization's methodology complies with ISO 27001 requirements, you do not need to use the methodology provided in the toolkit (you only will need to adjust the documents to refer to your current methodology as necessary).
Comment as guest or Sign in
Jul 10, 2020