Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Risk assessment

  Quote
Guest
Guest user Created:   Feb 18, 2021 Last commented:   Feb 18, 2021

Risk assessment

Thank you for your recent reply – this was very helpful.

I’m back with another question:

As I understand it, the risk assessment is used to identify which assets/threads calls for the implementation of controls due to a high risk score. This is helpful in order to know which controls you’ll have to implement. My questions goes as this:

“Can” I document and implement, lets say i.e. an “Acceptable use of assets” policy (Annex A control A.8.1.3) even though nothing in my risk analysis points to the need of this? Or should all controls/policies be implemented based on what is found to have a risk score on 3+ in my risk analysis?

I hope this makes sense. If not, please feel free to ask clarifying questions.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 18, 2021

Please note that the results of risk assessment are only one of the justifications for control implementation. Controls also can be identified as needed if:
- there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of a control;
- there is a top management decision to implement a control (e.g., because top management considers the control as a good practice)

Considering that, you can implement a control even though it is not related to any relevant risk.

This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 17, 2021

Feb 18, 2021

Suggested Topics

Guest user Created:   Sep 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment Questions

Guest user Created:   May 07, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment