Worked on metadata standard for Corpus, plus RTP
This commit is contained in:
parent
68f1c38681
commit
10c440ec83
4 changed files with 274 additions and 14 deletions
50
Corpus/Standards/ISO27x/Risk Treatment Plan.md
Normal file
50
Corpus/Standards/ISO27x/Risk Treatment Plan.md
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
# Risk Treatment Plan
|
||||
|
||||
Find faults or omissions in my reasoning.
|
||||
|
||||
The Canonical Form of a policy is:
|
||||
>To mitigate the risk of R, control C will be implemented on asset A under the responsibility of asset owner AO. The effectiveness will be measured through method M and will be evaluated by risk owner RO, against established risk criteria RC.
|
||||
|
||||
To establish the compliance of the implementation of a specific control to the ISO 27001 standard, the auditor will look for the following:
|
||||
- the risk that the control is supposed to mitigate
|
||||
- the risk owner
|
||||
- the scope of the control, in terms of organizational scope (certain business activities, organizational units) and asset(s) protected
|
||||
- the control owner
|
||||
- a description of the 'how' or the activities involved in the implementation, including roles and responsibilities
|
||||
- how the effectiveness of the control will be established, when, and by whom
|
||||
- how the effectiveness of the control will be evaluated, when, and by whom
|
||||
- possible exemptions to the policy
|
||||
- how exceptions will be handled
|
||||
- where all this is documented (policies, logs etc., evaluation)
|
||||
- for this documentation: Version information and who has authoured and signed off on the policy, Revision dates (+ next evaluation)
|
||||
- what the change procedure is for a relevant policy
|
||||
|
||||
|
||||
|
||||
**"Formally":**
|
||||
- A policy formally expresses the intentions and direction of management. Rather than detailing exactly _how_ a task should be executed, the overarching information security policy is supported by "topic-specific policies" **as needed** to mandate the implementation of controls for specific target groups or security areas (such as access control, physical security, or secure development).
|
||||
- **The Role of a Procedure (The "How"):** The specific steps on _how_ to carry out an activity or process are defined in a **procedure**. For example, Control 5.37 requires organizations to maintain "documented operating procedures" that provide personnel with the detailed, step-by-step instructions needed to ensure the correct and secure operation of information processing facilities
|
||||
- It is also important to note that a control is broadly defined as **any measure that modifies or maintains risk**. Therefore, a control itself can take the form of a policy, a procedure, a process, or a technical hardware/software function
|
||||
|
||||
|
||||
Version Control
|
||||
|
||||
| Type | Value |
|
||||
| --------------- | ----- |
|
||||
| Version number: | x.xx |
|
||||
| Version date: | x.xx |
|
||||
| Document owner: | name |
|
||||
| Approved by: | name |
|
||||
| Approved on: | date |
|
||||
| Next review: | date |
|
||||
|
||||
The Document Owner is responsible for development and implementation of the policy.
|
||||
|
||||
- [ ] Check Standard on documentation and ownership
|
||||
|
||||
|
||||
## Approved
|
||||
Name: | name
|
||||
--- | ---
|
||||
Signature: | signature
|
||||
Date: | date
|
||||
Loading…
Add table
Add a link
Reference in a new issue