Cleaned up Literature folder
This commit is contained in:
parent
73a6380034
commit
fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
|
|
@ -0,0 +1,50 @@
|
|||
# Risk assessment and treatment at two levels in ISO 27001
|
||||
|
||||
Risk assessment and risk treatment are discussed both in Chapter 6 and in Chapter 8. What is the difference?
|
||||
|
||||
|
||||
|
||||
The relationship between , (Information security risk assessment), and (Information security risk treatment) hinges on their roles within the Information Security Management System (ISMS) framework defined by ISO/IEC 27001:2022.
|
||||
|
||||
In essence, Clauses [6.1.2](../../ISMS/Qualifying%20vs%20quantifying%20risks.md) and [6.1.3](../../MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md) (Information security risk assessment and risk treatment) define the _processes_ and _criteria_ for risk management within the planning stage, while Clauses [8.2](../../MoCs/ISO_27001_2022_8.2_MoC%20Information%20security%20risk%20assessment.md) and [8.3](../../MoCs/ISO_27001_2022_8.3_MoC%20Information%20security%20risk%20treatment.md) define the _operational execution_ and _timing_ for applying those established processes.
|
||||
|
||||
### 1. Risk Processes Defined (Planning: Clause 6)
|
||||
|
||||
Clauses 6.1.2 and 6.1.3, located within the **Planning (Clause 6)** section of the ISO/IEC 27001 requirements, establish the foundational framework and repeatable methodology for how the organization approaches risk management:
|
||||
|
||||
- **6.1.2 Information security risk assessment:** This clause mandates the **definition and application** of a risk assessment process. This process includes:
|
||||
|
||||
- Establishing and maintaining risk criteria, including risk acceptance criteria.
|
||||
- Ensuring that repeated assessments produce consistent, valid, and comparable results.
|
||||
- Identifying, analyzing, and evaluating information security risks associated with the loss of confidentiality, integrity, and availability within the scope of the ISMS, and determining risk owners.
|
||||
- The organization must **retain documented information** about this defined risk assessment process.
|
||||
- **6.1.3 Information security risk treatment:** This clause mandates the **definition and application** of a risk treatment process. This process involves:
|
||||
|
||||
- Selecting appropriate risk treatment options based on assessment results.
|
||||
- Determining all necessary controls needed to implement the chosen treatment options.
|
||||
- **Comparing** the determined controls against those listed in **Annex A** (which is directly derived from ISO/IEC 27002 controls) to ensure no necessary controls have been omitted.
|
||||
- Producing a **Statement of Applicability (SoA)** detailing the controls chosen, justification for inclusion, implementation status, and justification for excluding any Annex A controls.
|
||||
- Formulating an **Information security risk treatment plan**.
|
||||
- Obtaining approval for the treatment plan and acceptance of residual risks from risk owners.
|
||||
- The organization must **retain documented information** about this defined risk treatment process.
|
||||
- The risk assessment and treatment processes align with the principles and guidelines found in ISO 31000.
|
||||
|
||||
### 2. Risk Processes Implemented (Operation: Clause 8)
|
||||
|
||||
Clauses 8.2 and 8.3, located within the **Operation (Clause 8)** section, describe when and how the processes defined in Clause 6.1.2 and 6.1.3 must be actively performed by the organization.
|
||||
|
||||
- **8.2 Information security risk assessment:** This clause specifies the **trigger events** for conducting the risk assessment defined earlier in 6.1.2. The organization must perform risk assessments at **planned intervals** or when **significant changes are proposed or occur**. These assessments must follow the criteria established in 6.1.2 a).
|
||||
|
||||
- The organization is required to retain documented information of the **results** of these operational risk assessments.
|
||||
- **8.3 Information security risk treatment:** This clause specifies the **action** required following the determination of the risk treatment plan (formulated in 6.1.3 e)). The organization must **implement the information security risk treatment plan**.
|
||||
|
||||
- The organization is required to retain documented information of the **results** of this operational risk treatment.
|
||||
|
||||
### Summary of the Relationship
|
||||
|
||||
|Clause|Section|Focus|Purpose in the ISMS Cycle|
|
||||
|:--|:--|:--|:--|
|
||||
|**6.1.2** (Risk assessment)|Planning|**Defining the Risk Methodology**|Establishes _how_ risk assessment will be performed (criteria, repeatable process, identification, analysis, evaluation).|
|
||||
|**6.1.3** (Risk treatment)|Planning|**Defining the Treatment Framework**|Establishes _how_ risks will be treated (control selection, comparison with Annex A, SoA creation, plan formulation, residual risk acceptance).|
|
||||
|**8.2** (Risk assessment)|Operation|**Executing the Assessment**|Defines _when_ the defined risk assessment process (6.1.2) must be carried out (planned intervals or significant changes).|
|
||||
|**8.3** (Risk treatment)|Operation|**Executing the Treatment**|Requires the organization to _implement_ the risk treatment plan formulated during the planning stage (6.1.3).|
|
||||
Loading…
Add table
Add a link
Reference in a new issue