left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Risk assessment question

  Quote
Guest
Guest user Created:   May 30, 2022 Last commented:   Jun 01, 2022

Risk assessment question

I need some information about 3rd party risk assessment. We are small business preparing for ISO27001.  I need to know how to fill the questionnaire of the 3rd party risk assessment?  I want to know how to use other registers which is mandatory in ISO 27001.  In addition, I don’t know how to make the SOA.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 30, 2022

1 - I need some information about 3rd party risk assessment. We are small business preparing for ISO27001.  I need to know how to fill the questionnaire of the 3rd party risk assessment?  I want to know how to use other registers which is mandatory in ISO 27001.

Answer: General steps for risk assessment and treatment for 3rd party risk assessment are basically the same to those applied to your own organization:

  • Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
  • Risk analysis (i.e., the definition of risk value, considering any already implemented controls
  • Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
  • Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

Here is an example considering a scenario where a power generator is no longer needed, and possible power failures will be covered by UPS, and the use of the asset-threat-vulnerability approach:

  • Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
  • Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before the normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to the normal power supply to be reestablished to value the risk).
  • Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
  • Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.

Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

These materials will provide you with a further explanation of risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

2 - In addition, I don’t know how to make the SOA.

Answer: Regarding the SoA, it is created based on the results of risk treatment, i.e., which controls you need to implement to handle the risks you consider relevant.

For detailed information on how to create a SoA, please read:
- Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

 

Considering your questions, I suggest you to take a look at our solution Conformio, which can help you implement ISO 27001, by means of task automatization and guidance on critical processes, like risk assessment and treatment: 
- Conformio (online tool for ISO 27001) http://advisera.com/conformio/

Quote
0 0
Guest
Wafa May 30, 2022

Thank you for your feedback but I have specific question which is about 3rd party questionnaire.  Who is the 3rd party? Can we consider the cleaner as 3rd party? 

Quote
0 0
Expert
Rhand Leal Jun 01, 2022

First of all, sorry for this confusion.

Third-party is any entity that is not under the direct control of an organization. Examples of the third parties are: customers, suppliers, visitors, contractors, consultants, etc.

A cleaner that does not belong to the organization’s staff can be considered a third party.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 30, 2022

Jun 01, 2022

Suggested Topics

Guest user Created:   Sep 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk Assessment Questions

Guest user Created:   Feb 13, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment question

Guest user Created:   Jul 03, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment question