Who owns the risk?
Assign topic to the user
My Query is regarding RISK assessment process. Who will own the risk. Lets take example i.e Firewall being used by Delivery center is managed by IT team, so who will accept the risk related to all firewalls i.e Delivery center management or IT department management.
Other way is do not mention firewall asset in asset register as Delivery center define OLA's with IT department for all services (Network support, server support etc.) and cater this requirement in OLA's. Please assist what should be the approach in this scenarios.
Answer:
I'm not sure if I understood your question correctly, but all the assets in your ISMS scope must be listed, you cannot leave out any of the assets.
The risk owner must be a person who is both interested in resolvin g the risk, and has the authority to do something about it. So in the case of risks related to the network, this is probably head of your IT department.
See also this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
This free online course will explain you everything about risk assessment and treatment: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
In my risk assessment , If I am listing firewall (it is a shared resource which is being for support organization also including delivery center) as an asset managed by IT team which is not the part of ISMS scope, and highlight risk like Hackers, Unauthorized access. What is required to be filled in existing control column of my risk assessment sheet? Do I need to mention the controls implemented by IT team to mitigate those risk or do I need to mention control implemented by Delivery center as a supplier to controls those risks in firewall.
In the "Existing controls" column you should list all the controls that are currently implemented related to the risk - sometimes the asset itself will be the control, like in case of a firewall.
However, if the asset is managed by an entity that is not part of the scope, then likely this asset is also not going to be included in the ISMS scope.
This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Sure, we can organize a call, please contact me via email.
Comment as guest or Sign in
Jun 27, 2016