Risks treatment
Assign topic to the user
Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.
Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are:
- Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3)
- Risk assessment report (clauses 8.2 and 8.3)
Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written:
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.
This article will provide you a further explanation about risk management and mandatory documents:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
These materials will also help you regarding risk management:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
Comment as guest or Sign in
Aug 19, 2021