Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends February 29, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

Questions

  Quote
Guest
Guest user Created:   May 26, 2023 Last commented:   May 26, 2023

Questions

1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.

2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 26, 2023

1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.

Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.

For further information, see:

2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.

ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table. 

This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.

Therefore, it is much easier to have two separate sheets for this purpose.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 26, 2023

May 26, 2023

Suggested Topics

Guest user Created:   Oct 05, 2023 ISO 27001 & 22301
Replies: 1
0 0

Audit Questions

Guest user Created:   Oct 04, 2023 ISO 27001 & 22301
Replies: 1
0 0

Conformio questions