Expert Advice Community

Guest

Risk register

  Quote
Guest
Guest user Created:   Feb 10, 2021 Last commented:   Feb 10, 2021

Risk register

Just a quick question, is it right that a client could ask to see a risk register of a company. Also all Vulnerability let's say a Vulnerability scan found certain ports open within a company then the owner enters this into the risk register this could then be seen and passed onto a potential client. So gist of my question is should we enter all Vulnerability found from a scan into risk register knowing that a potential client could request this.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 10, 2021

Common documents required by customers are the Information Security Policy, Statement of Applicability, and Audit Report. Other documents can be asked depending upon what customers need.

To share such documents (some of them may have sensitive information about your organization, like your risk register) you first should evaluate if the risks are worthy (e.g., the audit report has very sensitive information about your ISMS status, but the requester is your biggest customer or a potential customer you want to include in your portfolio). If you consider that the risk of sharing this information is acceptable, then you should provide a Non-Disclosure Agreement with these customers to formalize the required conditions for the protection of this information.

Regarding the information in the risk register, all vulnerabilities considered relevant should be included in the risk register.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 10, 2021

Feb 10, 2021

Suggested Topics

Guest user Created:   May 06, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk register

Guest user Created:   Jun 12, 2019 ISO 27001 & 22301
Replies: 1
0 0

Risk Registers