1 - I need some information about 3rd party risk assessment. We are small business preparing for ISO27001. I need to know how to fill the questionnaire of the 3rd party risk assessment? I want to know how to use other registers which is mandatory in ISO 27001.
Answer: General steps for risk assessment and treatment for 3rd party risk assessment are basically the same to those applied to your own organization:
- Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
- Risk analysis (i.e., the definition of risk value, considering any already implemented controls
- Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
- Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)
Here is an example considering a scenario where a power generator is no longer needed, and possible power failures will be covered by UPS, and the use of the asset-threat-vulnerability approach:
- Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
- Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before the normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to the normal power supply to be reestablished to value the risk).
- Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
- Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.
Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.
These materials will provide you with a further explanation of risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
2 - In addition, I don’t know how to make the SOA.
Answer: Regarding the SoA, it is created based on the results of risk treatment, i.e., which controls you need to implement to handle the risks you consider relevant.
For detailed information on how to create a SoA, please read:
- Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Considering your questions, I suggest you to take a look at our solution Conformio, which can help you implement ISO 27001, by means of task automatization and guidance on critical processes, like risk assessment and treatment:
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/