Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Who owns the risk?

  Quote
Guest
Guest user Created:   Jun 24, 2016 Last commented:   Jun 24, 2016

Who owns the risk?

We are planning for ISO 27001 certification for one delivery center located at some location. Delivery center IT management (Networks, Servers, Security, Helpdesk, Application) required to deliver services to customer remotely is managed by other IT team which are not the part of scope.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Jun 24, 2016
My Query is regarding RISK assessment process. Who will own the risk. Lets take example i.e Firewall being used by Delivery center is managed by IT team, so who will accept the risk related to all firewalls i.e Delivery center management or IT department management.
Other way is do not mention firewall asset in asset register as Delivery center define OLA's with IT department for all services (Network support, server support etc.) and cater this requirement in OLA's. Please assist what should be the approach in this scenarios.

Answer:

I'm not sure if I understood your question correctly, but all the assets in your ISMS scope must be listed, you cannot leave out any of the assets.

The risk owner must be a person who is both interested in resolvin g the risk, and has the authority to do something about it. So in the case of risks related to the network, this is probably head of your IT department.

See also this article: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

This free online course will explain you everything about risk assessment and treatment: ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
lawman Jun 24, 2016
Is it possible to have quick call on Skype?
Quote
0 0
Guest
lawman Jun 24, 2016
In my risk assessment , If I am listing firewall (it is a shared resource which is being for support organization also including delivery center) as an asset managed by IT team which is not the part of ISMS scope, and highlight risk like Hackers, Unauthorized access. What is required to be filled in existing control column of my risk assessment sheet? Do I need to mention the controls implemented by IT team to mitigate those risk or do I need to mention control implemented by Delivery center as a supplier to controls those risks in firewall.
Quote
0 0
Expert
Dejan Kosutic Jun 27, 2016
In the "Existing controls" column you should list all the controls that are currently implemented related to the risk - sometimes the asset itself will be the control, like in case of a firewall.

However, if the asset is managed by an entity that is not part of the scope, then likely this asset is also not going to be included in the ISMS scope.

This article will also help you: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

Sure, we can organize a call, please contact me via email.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 24, 2016

Jun 27, 2016

Suggested Topics