R
Ramaiyer
Hi All,
Background:
I am implementing ISO 27K for my company. We are ISO 9001 and ISO 20000 certified along with CMMI Level 2. We are a small IT consulting company with less than 100 employees.
Current status:
I have created a Risk Register and done Risk Analysis. Then I have created a Risk Treatment Plan.
During internal review, I was asked why we need to create a separate Risk Register instead of updating the existing Risk Register creted for other ISO certifications. It is understood, different risks and scope issues. But, I was asked why not expand the current Risk Rregister itself. Also, I was asked, why we need Risk Analysis and Risk Treatment Plan?. Why not that info is also included in the Risk Register?. Just add required columns and have everything in one document. I have a detailed Risk Register, with all the asset classes and the Risks, detailed Risk Analysis and also very detailed Risk Treatment Plan with Risk, Residual Risk, Replacement value etc.,
Question:
1. Can I combine Risk Register for ISO 9001, ISO 20000 and ISO 27001?
2. Is Risk Analysis and Risk Treatment documents required separately? or can it be combined with Risk Register.
Any help is appreciated.
Background:
I am implementing ISO 27K for my company. We are ISO 9001 and ISO 20000 certified along with CMMI Level 2. We are a small IT consulting company with less than 100 employees.
Current status:
I have created a Risk Register and done Risk Analysis. Then I have created a Risk Treatment Plan.
During internal review, I was asked why we need to create a separate Risk Register instead of updating the existing Risk Register creted for other ISO certifications. It is understood, different risks and scope issues. But, I was asked why not expand the current Risk Rregister itself. Also, I was asked, why we need Risk Analysis and Risk Treatment Plan?. Why not that info is also included in the Risk Register?. Just add required columns and have everything in one document. I have a detailed Risk Register, with all the asset classes and the Risks, detailed Risk Analysis and also very detailed Risk Treatment Plan with Risk, Residual Risk, Replacement value etc.,
Question:
1. Can I combine Risk Register for ISO 9001, ISO 20000 and ISO 27001?
2. Is Risk Analysis and Risk Treatment documents required separately? or can it be combined with Risk Register.
Any help is appreciated.