Risk assessment and treatment
We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/ This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.
My questions:
1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.
2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.
A gap analysis in exchange for a risk assessment wouldn’t be acceptable for certification purposes, because a gap analysis doesn’t tell you which problems can occur or which controls to implement (just because a control is not implemented it does not lead immediately to a risk). A risk assessment tells you which incidents can happen and which controls to implement.
For further information, see:
- ISO 27001 gap analysis vs. risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section20
2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?
It is sufficient to demonstrate that implemented controls are based on the results of risk assessment and applicable legal requirements as prescribed by the standard.
Please note that you only need to implement controls to treat relevant risks (based on the results of risk assessment) or to fulfill legal requirements (e.g., applicable laws, regulations, or contracts), so you do not have to implement all technical and organizational controls before we start the certification process.
This article will provide you with further explanation:
What if we need to comply with the Baseline Information security for Dutch governments based on iso27002 controls? A baseline suggests that the risk assessment already has been done. The controls of this baseline will be added to the statement of applicability. Is this sufficient for the certification process?
The inclusion of controls in the SoA based on a compliance need (i.e., to be compliant with the Baseline Information security for the Dutch government) is acceptable for the certification process.
However, to be able to succeed in ISO 27001 certification process, you need to perform the risk assessment as well. Based on the results of the risk assessment, and based on requirements from interested parties (including the Dutch government requirements), you can define in your Statement of Applicability which controls are applicable.
Comment as guest or Sign in
May 09, 2023