Risk Treatment
I am very new in this field (IT Security ISO 27001) and my biggest issue is to understand how can I improve my knowledge and use for the praxis because I have good knowledge about ISO27001 but I don't have any idea how can in use that in praxis.
For example when I have scope and SoA documents how can I implement to the praxis with help from ISO 27001 and create a risk analysis, Risk treatment, and so on.
It would be very grating if you have some advice for me.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
To improve your knowledge about putting ISO27001 in practice I suggest you read our blog posts and papers because most of them include real examples on how to fulfill requirements of the standard or apply controls. A good general guide is these free download:
- Clause-by-clause explanation of ISO 27001 (PDF) https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
- Step-by-step explanation of ISO 27001 risk management (PDF) https://info.advisera.com/27001academy/free-download/step-by-step-explanation-of-iso-27001-risk-management
Besides the explanation in the papers themselves, they include links to detailed articles.
Regarding your example, please note that the Statement of Applicability is part of the risk management process required by ISO 27001, and it is created after risk analysis and risk treatment. The correct sequence of your example is:
- ISMS scope: where you define which information you want to protect and where it is located
- Risk analysis: the identification of relevant risks that can negatively impact your scope
- Risk treatment: the definition of the general approach to treat relevant risks (e.g., risk mitigation, risk avoidance, risk acceptance, and risk transfer)
- SoA: where you identify the controls that are considered applicable for you ISMS, the justification for include such controls, the justification for not including some of the controls of ISO 27001 Annex A (if necessary), and the implementation status of applicable controls.
These articles will provide you a further explanation about risk management according to ISO 27001 and implementation steps:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
These materials will also help you regarding ISO 27001:
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jun 15, 2020