# Risk Treatment Plan Find faults or omissions in my reasoning. The Canonical Form of a policy is: >To mitigate the risk of R, control C will be implemented on asset A under the responsibility of asset owner AO. The effectiveness will be measured through method M and will be evaluated by risk owner RO, against established risk criteria RC. To establish the compliance of the implementation of a specific control to the ISO 27001 standard, the auditor will look for the following: - the risk that the control is supposed to mitigate - the risk owner - the scope of the control, in terms of organizational scope (certain business activities, organizational units) and asset(s) protected - the control owner - a description of the 'how' or the activities involved in the implementation, including roles and responsibilities - how the effectiveness of the control will be established, when, and by whom - how the effectiveness of the control will be evaluated, when, and by whom - possible exemptions to the policy - how exceptions will be handled - where all this is documented (policies, logs etc., evaluation) - for this documentation: Version information and who has authoured and signed off on the policy, Revision dates (+ next evaluation) - what the change procedure is for a relevant policy **"Formally":** - A policy formally expresses the intentions and direction of management. Rather than detailing exactly _how_ a task should be executed, the overarching information security policy is supported by "topic-specific policies" **as needed** to mandate the implementation of controls for specific target groups or security areas (such as access control, physical security, or secure development). - **The Role of a Procedure (The "How"):** The specific steps on _how_ to carry out an activity or process are defined in a **procedure**. For example, Control 5.37 requires organizations to maintain "documented operating procedures" that provide personnel with the detailed, step-by-step instructions needed to ensure the correct and secure operation of information processing facilities - It is also important to note that a control is broadly defined as **any measure that modifies or maintains risk**. Therefore, a control itself can take the form of a policy, a procedure, a process, or a technical hardware/software function Version Control | Type | Value | | --------------- | ----- | | Version number: | x.xx | | Version date: | x.xx | | Document owner: | name | | Approved by: | name | | Approved on: | date | | Next review: | date | The Document Owner is responsible for development and implementation of the policy. - [ ] Check Standard on documentation and ownership ## Approved Name: | name --- | --- Signature: | signature Date: | date