Glad it helped!

Glad it was helpful!

You are welcome Roland

Support in this context regards to the support of the management and the enterprise on the ISO certification process. Hence it is under the Plan

Thanks for clarifying. “Management Support” make sense, instead of “Support”

Good question Paul. The inclusion of monitors was seen as a catch all for all IT items. So we included them purely to ensure we didn't miss anything. The output was nil so therefore very low on the classification. Thus no further work necessary other than being labelled and tracked. Cheers Craig

@@Mangolive Thank you for the reply! Could I ask one further question, to what level would you record threats? Would you go as far as wiretapping\eavesdropping of an internal network, and would you include threats such as denial of service, denial of wallet etc? Or.. would you be more specific and include the actual threat, so for example if it were a denial of service it might be caused by Malware X. To what level of detail would we be expected to go? Also, under the treatment of controls where you are performing the threat assessment, is there a name for that model? The models I have seen so far use a scoring matrix and put threats in categories based on values assigned to each and then they calculate the average. Is there a name for the method you have used? And how does the classification register relate to the information security register? I understand the values of secret, public etc, but on the following slide that value is not attributed to any of the items, but there is instead a "Risk Level", how would I get from the classification of secret to a Risk Level of high for example? A lot of questions I know but I have to undertake an assessment as part of my Msc (for a fictitious company) and I need to say which threat assessment model I have used and justify why.