richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO27x/Risk Treatment Plan.md

2.7 KiB
Raw Blame History

Risk Treatment Plan

Find faults or omissions in my reasoning.

The Canonical Form of a policy is:

To mitigate the risk of R, control C will be implemented on asset A under the responsibility of asset owner AO. The effectiveness will be measured through method M and will be evaluated by risk owner RO, against established risk criteria RC.

To establish the compliance of the implementation of a specific control to the ISO 27001 standard, the auditor will look for the following:

  • the risk that the control is supposed to mitigate
  • the risk owner
  • the scope of the control, in terms of organizational scope (certain business activities, organizational units) and asset(s) protected
  • the control owner
  • a description of the 'how' or the activities involved in the implementation, including roles and responsibilities
  • how the effectiveness of the control will be established, when, and by whom
  • how the effectiveness of the control will be evaluated, when, and by whom
  • possible exemptions to the policy
  • how exceptions will be handled
  • where all this is documented (policies, logs etc., evaluation)
  • for this documentation: Version information and who has authoured and signed off on the policy, Revision dates (+ next evaluation)
  • what the change procedure is for a relevant policy

"Formally":

  • A policy formally expresses the intentions and direction of management. Rather than detailing exactly how a task should be executed, the overarching information security policy is supported by "topic-specific policies" as needed to mandate the implementation of controls for specific target groups or security areas (such as access control, physical security, or secure development).
  • The Role of a Procedure (The "How"): The specific steps on how to carry out an activity or process are defined in a procedure. For example, Control 5.37 requires organizations to maintain "documented operating procedures" that provide personnel with the detailed, step-by-step instructions needed to ensure the correct and secure operation of information processing facilities
  • It is also important to note that a control is broadly defined as any measure that modifies or maintains risk. Therefore, a control itself can take the form of a policy, a procedure, a process, or a technical hardware/software function

Version Control

Type Value
Version number: x.xx
Version date: x.xx
Document owner: name
Approved by: name
Approved on: date
Next review: date

The Document Owner is responsible for development and implementation of the policy.

  • Check Standard on documentation and ownership

Approved

Name: name
Signature: signature
Date: date