Guest user Created: Apr 11, 2022 Last commented: Apr 11, 2022

Risk re-evaluation processes Risk Treatment and Annex A controls

If you could help me with this question about documenting Risk re-evaluation processes Risk Treatment with ISO certified SOA already in place: Is it mandatory to document the mapping process in other words choose the Annex A controls to the relevant risks in the 05.2_Appendix_2_Risk_Treatment_Table, from the drop down menu or is it enough that applicable controls are determined [necessary to implement, 6.1.3.b)] and compared [with Annex, A 6.1.3. c)] only in the SOA? I’m conducting risk re-evaluation and if any new controls are applicable, I believe I’m able to spot them and write them straight to SOA without mapping all the controls beforehand in RT Table.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Apr 11, 2022

In the situation where you review the risks (i.e., the ISMS is already fully implemented), you need to go through your Risk assessment table and Risk treatment table and conclude if there are any new risks and/or new controls that need to be addressed - if yes, you need to update these documents, and also reflect this change in the Statement of Applicability. If there are no new risks, you need to document this fact, the best way to do this is to inform the top management at the next management review so that this is recorded in the Management review minutes.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Apr 11, 2022

Expert Advice Community