Risk treatment plan
hola, quiero hacer una consulta. Si el Plan de tratamiento de riesgo, es considerado como "Plan de acción" ¿pueden incluirse en en el plan los objetivos de seguridad de la información?
Assign topic to the user
Hello, I want to make an inquiry. If the Risk Treatment Plan is considered an "Action Plan", can the information security objectives be included in the plan?
ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.
When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.
Including the information security objectives within the risk treatment plan, which can be considered an “Action plan”, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, what would make them very difficult to understand and maintain.
This article will also help you:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
In this free online training, you'll find detailed guidance on setting the objectives:
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Apr 23, 2021