Risk Treatment and RTP
I have questions about risk management, I was wondering if you could help me with these.
Does ISO 27001 require a risk treatment plan as a one single plan or is it, applicable make risk treatment plans per risk and approvals per risk? And if it is applicable what elements per treated risks must be present (responsibility, timetable, etc.?) The question rises up, because of a risk software which allows make a risk assessment and treatment and plan treatment per risk bases, there is no means to collect all risks in a one single plan (in which has treatment descriptions).
Does ISO 27001 require documented comparison procedure of the controls (determined in 6.1.3 b) with those in Annex A? The question rises up, because before mentioned software has no means to make up control comparison in composed way e.g. a control table which to use for comparison (like Advisera Risk Treatment table template has).
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Does ISO 27001 require a risk treatment plan as a one single plan or is it, applicable make risk treatment plans per risk and approvals per risk? And if it is applicable what elements per treated risks must be present (responsibility, timetable, etc.?) The question rises up, because of a risk software which allows make a risk assessment and treatment and plan treatment per risk bases, there is no means to collect all risks in a one single plan (in which has treatment descriptions).
ISO 27001 does not prescribe how to document the risk treatment plan, so organizations can develop them as best fit their needs.
However, our suggestion is to write the Risk Treatment Plan as a single document because trying to implement ISO 27001 on a risk-by-risk basis is going to create huge problems in the implementation.
In your toolkit, there is a template for an activity-based Risk Treatment Plan in the folder 07 Implementation Plan.
2. Does ISO 27001 require documented comparison procedure of the controls (determined in 6.1.3 b) with those in Annex A? The question rises up, because before mentioned software has no means to make up control comparison in composed way e.g. a control table which to use for comparison (like Advisera Risk Treatment table template has).
ISO 27001 requires documented information about the risk treatment process, and this is usually in the form of Risk Assessment and Risk Treatment Methodology. For comparison of the controls, you can simply state in this methodology that once controls necessary are defined, these are compared against those from ISO 27001 Annex A.
In your toolkit, there is a template for the Risk Assessment and Risk Treatment Methodology in folder 05 Risk Assessment and Risk Treatment.
You can use as evidence the result of this comparison the Statement of Applicability.
In your toolkit, there is a template for the Statement of Applicability in the folder 06 Applicability of Controls.
For further information, see:
- Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Nov 27, 2022