Take the ISO 27001 course exam and get the EU GDPR course exam for free

Expert Advice Community


Risks treatment

Guest user Created:   Aug 20, 2021 Last commented:   Aug 20, 2021

Risks treatment

Yet another question. Since our company is in the early stages and consists of a small organization, we are able to easily change our ways of working. This means we can also prevent getting into situations where we have risks which are unacceptable.

As I understand it, if we're able to implement all relevant controls before entering any ISO27001 certification, then we should be able to completely ignore documents such as the ones regarding risk treatment. This would mean that status for all items in Statement of Applicability is either set to not applicable, or fully implemented. Can you confirm that we are able to ignore the documents related to risk treatment in this case? Also, is it common to do it like this?

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Aug 20, 2021

Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.

Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are:
- Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
- Risk assessment report (clauses 8.2 and 8.3)

Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)

In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.

This article will provide you a further explanation about risk management and mandatory documents:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

These materials will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 19, 2021

Aug 19, 2021

Suggested Topics

Guest user Created:   Apr 26, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk Consultation