We have purchased the ISO27k toolkit last year (I believe the toolkit with extended support) and started the implementation.
At this point, we are finalizing the risk assessment and starting the SoA. I now have a few questions. Please direct me to the right person if you are not the appropriate recipient.
My questions so far:
1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.
What is the accepted time frame for risks mitigation?
For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
Is it allowed by the standard and/or auditor?
Will it be visible in SoA’s residual risks?
In other words, does it have to be addressed before the next assessment, or the next audit, or freely?
2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:
Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
I suppose that such accepted risks will again appear in the SoA (but it makes sense)
3 - Concerning the risk assessment:
Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
Clearly, doing so, in advance, and for many risks/assets is not feasible for us
I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)