SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Risk re-evaluation processes Risk Treatment and Annex A controls

  Quote
Guest
Guest user Created:   Apr 11, 2022 Last commented:   Apr 11, 2022

Risk re-evaluation processes Risk Treatment and Annex A controls

If you could help me with this question about documenting Risk re-evaluation processes Risk Treatment with ISO certified SOA already in place: Is it mandatory to document the mapping process in other words choose the Annex A controls to the relevant risks in the 05.2_Appendix_2_Risk_Treatment_Table, from the drop down menu or is it enough that applicable controls are determined [necessary to implement, 6.1.3.b)] and compared [with Annex, A 6.1.3. c)] only in the SOA? I’m conducting risk re-evaluation and if any new controls are applicable, I believe I’m able to spot them and write them straight to SOA without mapping all the controls beforehand in RT Table.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 11, 2022

In the situation where you review the risks (i.e., the ISMS is already fully implemented), you need to go through your Risk assessment table and Risk treatment table and conclude if there are any new risks and/or new controls that need to be addressed - if yes, you need to update these documents, and also reflect this change in the Statement of Applicability. If there are no new risks, you need to document this fact, the best way to do this is to inform the top management at the next management review so that this is recorded in the Management review minutes. 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 11, 2022

Apr 11, 2022