Risk Assessment
I have two questions regarding the Risk Assessment Table.
- We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
- My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.
Assign topic to the user
1. We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
ISO 27001 does not prescribe how to perform risk assessment, only that it must be performed, so organizations are free to perform it the way it better suits them.
In fact, grouping assets with similar risks in a single category, as you exemplified, is a common practice, and it is perfectly acceptable by certification auditors.
Please note that included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment table, presenting examples with real data.
My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.
As long as the control is implemented, there is no problem in mentioning it in the existing control column in the risk assessment table, even if it is not documented at the moment the risk assessment was performed.
Please note that ISO 27001 does not require you to write documents for each and every control. Only some controls will need to be documented later on as part of your ISO 27001 implementation - see the PDF document "List of documents" in the root folder of your toolkit to see which documents (and their related controls) need to be written down.
For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Feb 24, 2020