Expert Advice Community

Guest

Questions about ISO 27001 implementation

  Quote
Guest
Guest user Created:   Jan 27, 2021 Last commented:   Jan 27, 2021

Questions about ISO 27001 implementation

We have purchased the ISO27k toolkit last year (I believe the toolkit with extended support) and started the implementation.

At this point, we are finalizing the risk assessment and starting the SoA. I now have a few questions. Please direct me to the right person if you are not the appropriate recipient.

My questions so far:

1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.

What is the accepted time frame for risks mitigation?
For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
Is it allowed by the standard and/or auditor?
Will it be visible in SoA’s residual risks?
In other words, does it have to be addressed before the next assessment, or the next audit, or freely?

2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:

Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
I suppose that such accepted risks will again appear in the SoA (but it makes sense)

3 - Concerning the risk assessment:

Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
Clearly, doing so, in advance, and for many risks/assets is not feasible for us
I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 27, 2021

1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.

What is the accepted time frame for risks mitigation?
For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
Is it allowed by the standard and/or auditor?
Will it be visible in SoA’s residual risks?
In other words, does it have to be addressed before the next assessment, or the next audit, or freely?

ISO 27001 does not prescribe a time frame to implement controls, so organizations are free to define the time frame that best suits them, but a time frame of 1 or 2 years is not recommended, because by the time you finish the implementation the risks may have changed (due to changes in business conditions or changes in threats and vulnerabilities), and the previously planned controls may not be effective or needed anymore.

Now, considering certification purposes, at least the controls related to the most relevant risks must be implemented, with proper evidence of implementation and operation, by the time of the certification audit, because risk treatment is a mandatory clause, and the certification auditor will check this. Risks with controls not implemented should be accepted by the organization, and these must be included as defined in the Statement of Applicability template (included in the toolkit you bought, you have access to a video tutorial that can help you fill the SoA document).

For further information, see:

2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:

Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
I suppose that such accepted risks will again appear in the SoA (but it makes sense)

ISO 27001 does not prescribe risk acceptance criteria, only that they must be defined. Considering that, your organization can establish any criteria it sees fit (your criteria example is acceptable). You only have to be careful to not postpone relevant risks indefinitely, because this can be seen as a lack of commitment to information security, and this can compromise certification. About SOA, your assumption is correct, the accepted risks will appear in the SOA.

Included in your toolkit, also there is a video tutorial that can help you with risk assessment and treatment.

This material can also help you:

3 - Concerning the risk assessment:

Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
Clearly, doing so, in advance, and for many risks/assets is not feasible for us
I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)

The auditor will check if your estimations make sense considering your organizational context and ISMS scope and will only make additional questions if something is too far away from normally expected results (for example, the impact of datacenter down to fire valued as 1 on a scale from 1 to 5, where 5 is the highest impact).

For audit purposes, the Risk Assessment Table and The Risk Treatment Table are sufficient for the auditor. 

The SoA is the initial guide for the auditor to understand your information security context, but during the audit, he will check how the controls are implemented.

This article will provide you a further explanation about estimating risks:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 27, 2021

Jan 27, 2021