Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Risk assessment and treatment

  Quote
Guest
Guest user Created:   May 04, 2023 Last commented:   May 09, 2023

Risk assessment and treatment

We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/   This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.

My questions:

1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.

2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 04, 2023

1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.

A gap analysis in exchange for a risk assessment wouldn’t be acceptable for certification purposes, because a gap analysis doesn’t tell you which problems can occur or which controls to implement (just because a control is not implemented it does not lead immediately to a risk). A risk assessment tells you which incidents can happen and which controls to implement.

For further information, see:

2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?

It is sufficient to demonstrate that implemented controls are based on the results of risk assessment and applicable legal requirements as prescribed by the standard.

Please note that you only need to implement controls to treat relevant risks (based on the results of risk assessment) or to fulfill legal requirements (e.g., applicable laws, regulations, or contracts), so you do not have to implement all technical and organizational controls before we start the certification process.

This article will provide you with further explanation:

Quote
0 0
Guest
Oldedebolde May 04, 2023

What if we need to comply with the Baseline Information security for Dutch governments based on iso27002 controls? A baseline suggests that the risk assessment already has been done. The controls of this baseline will be added to the statement of applicability. Is this sufficient for the certification process?

Quote
0 0
Expert
Rhand Leal May 09, 2023

The inclusion of controls in the SoA based on a compliance need (i.e., to be compliant with the Baseline Information security for the Dutch government) is acceptable for the certification process.

However, to be able to succeed in ISO 27001 certification process, you need to perform the risk assessment as well. Based on the results of the risk assessment, and based on requirements from interested parties (including the Dutch government requirements), you can define in your Statement of Applicability which controls are applicable.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 04, 2023

May 09, 2023