Risk Assessment and Treatment Process [Insert classification] The controls set out in the above standards will be supplemented by the extended and additional guidance set out in the following codes of practice: • • • •
ISO/IEC 27002 – Code of practice for information security controls ISO/IEC 27701 PIMS-specific guidance clauses ISO/IEC 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
The last two of these provide specific application of the Annex A controls to a cloud service provider scenario and address the area of the protection of PII more comprehensively than the ISO/IEC 27001 standard on its own.
2.8.3 Risk treatment plan The evaluation of the treatment options will result in the production of the risk treatment plan which will detail: • • • • • • • •
Risks requiring treatment Risk owner Recommended treatment option Control(s) to be implemented Responsibility for the identified actions Cost estimate for implementing the control(s) Timescales for actions Expected residual risk levels after the controls have been implemented
2.8.4 Statement of applicability The Statement of Applicability will set out those controls from Annex A of the ISO/IEC 27001 standard and those from Annexes A and B of ISO/IEC 27701 that have been selected and the reasons for their selection. It will also detail those that have been implemented and identify any that have been explicitly excluded together with a reason for such exclusion.
2.9 Management approval At each stage of the risk assessment process management will be kept informed of progress and decisions made, including formal signoff of the proposed residual risks. Management will approve the following documents: •
Risk Assessment Report
Version 1
Page 20 of 23
[Insert date]
