LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Risk assessment Vs SoA

  Quote
Guest
Guest user Created:   Dec 23, 2021 Last commented:   Dec 23, 2021

Risk assessment Vs SoA

Dears, Once we handle Risk assessment and treatment plan, we will choose the controls necessary to reduce related risks. in SoA we have to go through 114 control and choose which of them are implemented or will be implemented or not applicable. So we are repeating the same steps in both Risk assessment and SoA ... so why not only go through the 114 control and this will cover both steps (controls needed to reduce the risk and SOA process) Appreciate your feedback
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 23, 2021

Please note that the risk assessment, risk treatment, and elaboration of the Statement of Applicability have very different steps, so you do not repeat the same activities. And you cannot go directly to the controls because the standard requires all defined steps for risk assessment and risk treatment to be performed.

In risk assessment you identify, analyses and evaluate risks. As output you have a prioritized list of risks, and which ones require treatment or not.

In risk treatment you define treatment options, applicable controls, elaborates the SoA and the risk treatment plan, approves the risk treatment plan and the accept the residual risks.

Statement of Applicability is different from risk treatment because there you need to take into account (besides the results of the risk assessment) also legal and regulatory requirements, as well as management decisions. On top of this, SoA keeps track of the implementation method and implementation status - these are not mentioned in the risk treatment.

In Conformio, the Statement of Applicability is created automatically based on the results of the Risk Register module. You only need to add some items up in case of need, like justifications based on legal and contractual requirements, or management decisions, or specific information about implementation methods.

For further information, see:
- How to automate the creation of the Statement of Applicability https://advisera.com/conformio/blog/2021/01/20/how-to-automate-the-creation-of-statement-of-applicability/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 23, 2021

Dec 23, 2021

Suggested Topics