Mapping of risks to ISO 27001 controls
Assign topic to the user
Answer: Once you have identified the risk you should first look at the controls section objectives to find the one that are the most probable to treat the risk (some risk may be treated by controls from different sections). Once you find the section you should look into the controls description to find which ones are most adequate.
For example, for the risk "loss of a notebook", you can identify the following section objectives, and respective controls:
- Objective from section A.6.2 (Mobile devices and teleworking): To ensure the security of teleworking and use of mobile devices. Applicable control: Mobile device policy (A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.)
- Objective from section A.11.2 (Equipment): To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. Applicable controls: Security of equipment
and assets off-premises (Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.) and Unattended user equipment (Users shall ensure that unattended equipment has appropriate protection.)
This material will provide you further explanation about matching risks to controls:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
Comment as guest or Sign in
Nov 09, 2017