Just a quick question, is it right that a client could ask to see a risk register of a company. Also all Vulnerability let's say a Vulnerability scan found certain ports open within a company then the owner enters this into the risk register this could then be seen and passed onto a potential client. So gist of my question is should we enter all Vulnerability found from a scan into risk register knowing that a potential client could request this.
Assign topic to the user
Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.
To share such documents (some of them may have sensitive information about your organization, like your risk register) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable, then you should provide a Non-Disclosure Agreement with these customers to formalize the required conditions for the protection of this information.
Regarding the information in the risk register, all vulnerabilities considered relevant should be included in the risk register.
Comment as guest or Sign in
Feb 10, 2021