Risk treatment plan
Es claro que sobre los activos de información que corresponden al alcance del SGSI se debe definir el Plan de Tratamiento de Riegos. Se debería siempre considerar el SGSI como un activo de información en sí mismo? Y, por lo tanto se deberían identificar los riesgos asociados a su gestión). Por ejemplo: El Riesgo de no definir bien el alcance, el riego de no haber inventariados todos los activos pertinentes al alcance, el riesgo de no definir bien el SOA, el riesgo de no haber definido de manera integral y coherente el Plan de Tratamiento de Riesgos (RTP), etc. Es usual este enfoque? o esto excede al SGSI en si mismo? De antemano gracias por tu respuesta.
(It is clear that the information assets that correspond to the scope of the ISMS must define the Risk Treatment Plan. Should the ISMS always be viewed as an information asset in itself? And, therefore, the risks associated with its management should be identified). For example: The risk of not defining the scope well, the risk of not having inventoried all the relevant assets within the scope, the risk of not defining the SOA well, the risk of not having comprehensively and coherently defined the Treatment Plan for Risks (RTP), etc. Is this approach usual? or does this exceed the ISMS itself? Thank you in advance for your answer.)
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that ISO 27001 does not prescribe the use of information assets for the definition of the Risk Treatment Plan. The RTP only defines the activities that are required to decrease the risks, which can be identified by different approaches, such as asset bases, process bases, and scenario based.
Considering that, when using an asset-based approach, you should consider the ISMS documentation as an asset, because the information you want to protect can be compromised if a document or record fails to fulfill standard’s requirements or any other identified requirement.
These articles will provide you a further explanation about risk assessment and risk treatment:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 21, 2021