Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Non-Conformity in RR

  Quote
Guest
Guest user Created:   May 26, 2023 Last commented:   May 26, 2023

Non-Conformity in RR

Dear Team - this is quite urgent - we have got a non-conformity because the auditor didn't accept the risk register as produced by Conformio - we are not sure how to mitigate this, any guidance would be hugely appreciated. Here is the non-conformity. (27001) Finding: The organisation did not fully meet the requirements for clause 6.1.2 c)1) - apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. Evidence: missing from Risk register within Conformio platform.

Additional information: The auditor requests that we add a column showing the impact on each of the CIA - Confidentiality, Integrity, and Availability components, (e.g. Letters to show letters representing the affected components of CIA).

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 26, 2023

ISO 27001 does not require the impact on confidentiality, integrity, and availability to be assessed as separate values. 

The Risk Assessment Methodology document generated through Conformio specifies that the risks related to confidentiality, integrity, and availability will be identified by listing the assets, threats, and vulnerabilities, while the same document specifies that the consequences of endangered confidentiality, integrity, and availability will be assessed by assessing the level of impact. The Risk Register implements risk assessment according to those rules. 

Here is what ISO 27001 says: 

  • ISO 27001 clause 6.1.2 c) 1) requires “apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity, and availability for information within the scope of the information security management system”
  • ISO 27001 clause 6.1.2 d) 1) requires “assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;”

In other words, the standard does require that risks related to confidentiality, integrity, and availability to be identified, and their consequences to be assessed but this doesn’t mean separate values for these. As a consequence, the majority of companies that go for ISO 27001 certification (I’m referring here not only to Advisera, but also to non-Advisera customers) do not use separate values for confidentiality, integrity, and availability. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 26, 2023

May 26, 2023

Suggested Topics