Risk assessment
Thank you for your recent reply – this was very helpful.
I’m back with another question:
As I understand it, the risk assessment is used to identify which assets/threads calls for the implementation of controls due to a high risk score. This is helpful in order to know which controls you’ll have to implement. My questions goes as this:
“Can” I document and implement, lets say i.e. an “Acceptable use of assets” policy (Annex A control A.8.1.3) even though nothing in my risk analysis points to the need of this? Or should all controls/policies be implemented based on what is found to have a risk score on 3+ in my risk analysis?
I hope this makes sense. If not, please feel free to ask clarifying questions.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the results of risk assessment are only one of the justifications for control implementation. Controls also can be identified as needed if:
- there are legal requirements (e.g., laws, regulations, or contracts) demanding the implementation of a control;
- there is a top management decision to implement a control (e.g., because top management considers the control as a good practice)
Considering that, you can implement a control even though it is not related to any relevant risk.
This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding controls selection:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 18, 2021