Risk assessment
1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.
2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.
Risks related to elements outside the ISMS scope should be treated by controls of section A.15 - Supplier relationships. Through Service Level Agreements (SLAs), Operational Level Agreements (OLAs) or Terms and Conditions of Service, the organization makes clear and enforces the expected information security controls to be applied. In this scenario, someone in the organization still is the risk owner, but the treatment is delegated to the third party.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?
The main purposes of the SoA are to identify which controls are applicable or not in the ISMS scope, the justifications for such decisions, and the implementation status of those controls deemed as applicable, but you can document implemented controls that are not part of the ISMS scope in the SoA as a good practice (ISO 27001 requirements do not prohibit this).
This way you will have a centralized information source about all implemented controls you have, even if they are not implemented in the ISMS scope. This can be useful, for example, if in the future you need to include such controls in the ISMS scope (you will have quick information about what you already have).
You only need to pay attention to ensure that the situation of the control as not part of the ISMS scope is perfectly clear in the justification. For example:
"Program source code is not in the ISMS scope, however, this control is tracked in the SoA as a good practice, to keep a centralized database of the organization's applied controls."
This article will provide you a further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
May 07, 2020