Expert Advice Community

Guest

Risk Consultation

  Quote
Guest
Guest user Created:   Apr 26, 2021 Last commented:   Apr 26, 2021

Risk Consultation

Can I include information security objectives within the risk treatment plan? How should I include the information security objectives in the asset list and then assess the risks and treat them?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 26, 2021

ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document. 

When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability. 

Including the information security objectives within the risk treatment plan, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, which would make them very difficult to understand and maintain.

This article will also help you:

In this free online training you'll find detailed guidance on setting the objectives:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 26, 2021

Apr 26, 2021

Suggested Topics

Guest user Created:   Oct 08, 2021 ISO 27001 & 22301
Replies: 1
0 0

Supplier Security Policy

Guest user Created:   May 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment treatment