Expert Advice Community

Guest

Question on Document review

  Quote
Guest
Guest user Created:   Jul 24, 2020 Last commented:   Jul 24, 2020

Question on Document review

1 - Dear Dejan, thanks for the comprehensive answers. One question I have though:

Do the risk treatments have to be directly linked to a security control?

Example: Asset desktop computer, Threat Intrusion, Vulnerability  “Inadequate level of knowledge” links to security control ” 7 Training and awareness”?

At the moment we have linked to a policy which should be read by every employee how to handle it.

 2 - to extend my question:

and shall we, in addition, add the “Statement of Applicability” to each control, for which assets they are applicable? But a consequence will be, that for instance “training and awareness” is applicable for all assets.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 24, 2020

1 - Dear Dejan, thanks for the comprehensive answers. One question I have though:

Do the risk treatments have to be directly linked to a security control?

Example: Asset desktop computer, Threat Intrusion, Vulnerability  “Inadequate level of knowledge” links to security control ” 7 Training and awareness”?

At the moment we have linked to a policy which should be read by every employee how to handle it.

Answer: Considering common risk treatment options (i.e, mitigate the risk, avoid the risk, accept the risk, and transfer the risk), if you decide to mitigate or transfer the risk, then you need to choose one or more controls to decrease the risk to acceptable levels. If you decide to avoid or accept the risk, then you do not need to define any control to it.

For further information see:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/01academy/emy/ademy/my/blog/16/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

2 - to extend my question:

and shall we, in addition, add the “Statement of Applicability” to each control, for which assets they are applicable? But a consequence will be, that for instance “training and awareness” is applicable for all assets.

Answer: If I understood correctly, you want to know if in the Statement of Applicability, for each control, you need to inform for which assets each control is applicable.

Considering that, ISO 27001 does not prescribe to include information about assets in the Statement of Applicability. You only need to define justifications for applicability, or non applicability, and the controls' implementation status (other information can be included, but related assets are not commonly used, because it would turn the document unnecessarily complex to read and manage).

This article will provide you a further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 23, 2020

Jul 23, 2020

Suggested Topics