richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO27x/Risk assessment and treatment at two levels.md

4.9 KiB
Raw Blame History

Risk assessment and treatment at two levels in ISO 27001

Risk assessment and risk treatment are discussed both in Chapter 6 and in Chapter 8. What is the difference?

The relationship between , (Information security risk assessment), and (Information security risk treatment) hinges on their roles within the Information Security Management System (ISMS) framework defined by ISO/IEC 27001:2022.

In essence, Clauses 6.1.2 and 6.1.3 (Information security risk assessment and risk treatment) define the processes and criteria for risk management within the planning stage, while Clauses 8.2 and 8.3 define the operational execution and timing for applying those established processes.

1. Risk Processes Defined (Planning: Clause 6)

Clauses 6.1.2 and 6.1.3, located within the Planning (Clause 6) section of the ISO/IEC 27001 requirements, establish the foundational framework and repeatable methodology for how the organization approaches risk management:

  • 6.1.2 Information security risk assessment: This clause mandates the definition and application of a risk assessment process. This process includes:

    • Establishing and maintaining risk criteria, including risk acceptance criteria.
    • Ensuring that repeated assessments produce consistent, valid, and comparable results.
    • Identifying, analyzing, and evaluating information security risks associated with the loss of confidentiality, integrity, and availability within the scope of the ISMS, and determining risk owners.
    • The organization must retain documented information about this defined risk assessment process.

  • 6.1.3 Information security risk treatment: This clause mandates the definition and application of a risk treatment process. This process involves:

    • Selecting appropriate risk treatment options based on assessment results.
    • Determining all necessary controls needed to implement the chosen treatment options.
    • Comparing the determined controls against those listed in Annex A (which is directly derived from ISO/IEC 27002 controls) to ensure no necessary controls have been omitted.
    • Producing a Statement of Applicability (SoA) detailing the controls chosen, justification for inclusion, implementation status, and justification for excluding any Annex A controls.
    • Formulating an Information security risk treatment plan.
    • Obtaining approval for the treatment plan and acceptance of residual risks from risk owners.
    • The organization must retain documented information about this defined risk treatment process.
    • The risk assessment and treatment processes align with the principles and guidelines found in ISO 31000.

2. Risk Processes Implemented (Operation: Clause 8)

Clauses 8.2 and 8.3, located within the Operation (Clause 8) section, describe when and how the processes defined in Clause 6.1.2 and 6.1.3 must be actively performed by the organization.

  • 8.2 Information security risk assessment: This clause specifies the trigger events for conducting the risk assessment defined earlier in 6.1.2. The organization must perform risk assessments at planned intervals or when significant changes are proposed or occur. These assessments must follow the criteria established in 6.1.2 a).

    • The organization is required to retain documented information of the results of these operational risk assessments.

  • 8.3 Information security risk treatment: This clause specifies the action required following the determination of the risk treatment plan (formulated in 6.1.3 e)). The organization must implement the information security risk treatment plan.

    • The organization is required to retain documented information of the results of this operational risk treatment.

Summary of the Relationship

Clause Section Focus Purpose in the ISMS Cycle
6.1.2 (Risk assessment) Planning Defining the Risk Methodology Establishes how risk assessment will be performed (criteria, repeatable process, identification, analysis, evaluation).
6.1.3 (Risk treatment) Planning Defining the Treatment Framework Establishes how risks will be treated (control selection, comparison with Annex A, SoA creation, plan formulation, residual risk acceptance).
8.2 (Risk assessment) Operation Executing the Assessment Defines when the defined risk assessment process (6.1.2) must be carried out (planned intervals or significant changes).
8.3 (Risk treatment) Operation Executing the Treatment Requires the organization to implement the risk treatment plan formulated during the planning stage (6.1.3).