Expert Advice Community

Guest

Mandatory policies

  Quote
Guest
Guest user Created:   Jul 21, 2020 Last commented:   Jul 21, 2020

Mandatory policies

Hi, I have a question re mandatory policies.

Do they need to be stand-alone policies? Or can they be combined? For example, combining Risk assessment and risk treatment methodology (clause 6.1.2), Risk treatment plan (clauses 6.1.3 e and 6.2), and Risk assessment report (clause 8.2) policies into one Risk Management policy?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 21, 2020

ISO 27001 does not prescribe how to develop documents but is important to note that you are talking about different types of documents.

The Risk Assessment and Risk Treatment Methodology is a procedure (it defines how risk assessment and risk treatment are performed), developed once and updated as needed, while the Risk Treatment Plan and the Risk Assessment Report are records (the first contain the results of risk assessment and the second a summary of the risk assessment and treatment results), which can be generated multiple times and are not normally updated.

Considering that, procedures and records should not be merged in a single document, because of the dynamic nature of records (after some time you w.ould have an unmanageable document basically containing records).

Regarding the Risk Treatment Plan and the Risk Assessment Report, they are not normally merged because the report is a summary, and the Risk Treatment Plan is normally referred to as an annex for the Risk Assessment Report

These articles will provide you a further explanation about risk management and records management:

These materials will also help you regarding risk management and records management:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 21, 2020

Jul 21, 2020

Suggested Topics