$-ѴѴ;uĹ ;|;ulbm-u;Ѵom|;Š|o7;

Ѵ-u]-mbŒ-1bॕm-1b;m7o&vo7;
†m--|ubŒ7;m࢙Ѵbvbv  

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

21
 ƓĺƑolru;mvbॕm7;Ѵ-v;1;vb7-7;v‹ Šr;1|-ঞˆ-v7;Ѵ-v-u|;vm|;u;v-7-v

La organización debe determinar:

ĺ -v r-u|;v bm|;u;v-7-v t†; vom u;Ѵ;ˆ-m|;v

r-u-;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;
Ѵ-bm=oul-1bॕmĺ

ĺ ov u;t†bvb|ov 7; ;v|-v r-u|;v bm|;u;v-7-v

t†; vom u;Ѵ;ˆ-m|;v r-u- Ѵ- v;]†ub7-7 7; Ѵ-
bm=oul-1bॕmĺ

$Ĺovu;t†bvb|ov7;Ѵ-vr-u|;vbm|;u;v-7-v
r†;7;mbm1Ѵ†buu;t†bvb|ovѴ;]-Ѵ;v‹u;]†Ѵ-|oubovķ
-vझ1oloo0Ѵb]-1bom;v1om|u-1|†-Ѵ;vĺ

-u|;m|;u;v-7-;v†m-r;uvom-†ou]-mbŒ-1bॕmt†;r†;7;-=;1|-uķˆ;uv;-=;1|-7-or;u1b0buv;1olo
-=;1|-7-rou†m-7;1bvbॕmo-1ঞˆb7-7ĺ

Ѵ]†mov;f;lrѴov7;r-u|;vbm|;u;v-7-vĹ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

22
Ɠĺƒ ;|;ulbm-1bॕm7;ѴѴ1-m1;7;Ѵ"bv|;l-7;;vঞॕm7;Ѵ-";]†ub7-77;Ѵ-
Información

-ou]-mbŒ-1bॕm7;0;7;|;ulbm-uѴovѴझlb|;v‹Ѵ--rѴb1-0bѴb7-77;Ѵvbv|;l-7;];vঞॕm7;Ѵ-v;]†ub7-7
7;Ѵ-bm=oul-1bॕmr-u-;v|-0Ѵ;1;uv†-Ѵ1-m1;ĺ

†-m7ov;7;|;ulbm-;v|;-Ѵ1-m1;ķѴ-ou]-mbŒ-1bॕm7;0;1omvb7;u-uĹ

ĺ -v1†;v|bom;v;Š|;um-v;bm|;um-vu;=;ub7-v;m;Ѵ-r-u|-7oƓĺƐĺ
ĺ ovu;t†bvb|ovu;=;ub7ov;m;Ѵ-r-u|-7oƓĺƑĺ
ĺ -vbm|;u=-1;v‹7;r;m7;m1b-v;m|u;Ѵ-v-1|bˆb7-7;vu;-ѴbŒ-7-vrouѴ-ou]-mbŒ-1bॕm‹Ѵ-vt†;v;ѴѴ;ˆ-m
-1-0orouo|u-vou]-mbŒ-1bom;vĺ

Ѵ-Ѵ1-m1;7;0;;v|-u7bvromb0Ѵ;1olobm=oul-1bॕm7o1†l;m|-7-ĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

23
 -u-;Ѵ-Ѵ1-m1;;vu;Ѵ;ˆ-m|;|;m;u;m1†;m|-Ѵovvb]†b;m|;v-vr;1|ovĹ

վ ovu;v†Ѵ|-7ov7;Ѵ1om|;Š|oĺ
վ ovu;v†Ѵ|-7ov7;Ѵ-m࢙Ѵbvbv7;0u;1_-vĺ
վ ov"bv|;l-v7;;v|bॕm;Šbv|;m|;v;mѴ-ou]-mbŒ-1bॕmĺ
վ -v࢙u;-v7;-rѴb1-1bॕmt†;7-mˆ-Ѵou-Ѵ-vr-u|;vbm|;u;v-7-vĺ
վ ovu;t†bvb|ovѴ;]-Ѵ;vķu;]†Ѵ-|oubovķ1om|u-1|†-Ѵ;vĺ
վ ovo0f;|bˆov7;Ѵ-u]-mbŒ-1bॕmĺ
վ ovѴझlb|;vou]-mbŒ-1bom-Ѵ;vĺ
վ ovѴझlb|;v7;Ѵovvbv|;l-v7;bm=oul-1bॕmĺ
վ ovѴझlb|;v=झvb1ovĺ

&m7o1†l;m|o7;7;Cmb1bॕm7;-Ѵ1-m1;ro7uझ-1omvb7;u-uѴovb]†b;m|;Ĺ

վ ;=bmb1bॕm7;ѴѴ1-m1;ĺ
վ -u-1|;uझv|b1-v7;Ѵ-ou]-mbŒ-1bॕmĺ
վ uo1;vov7;Ѵ-ou]-mbŒ-1bॕmĺ
վ †m1bom;v‹u;vromv-0bѴb7-7;vĺ
վ 1|bˆov7;m=oul-1bॕmĺ
վ "bv|;l-v7;m=oul-1bॕmĺ
վ &0b1-1bॕm];o]u࢙=b1-ĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

ƓĺƓ"bv|;l-7;;vঞॕm7;Ѵ-";]†ub7-7
de la Información
- ou]-mbŒ-1bॕm 7;0; ;v|-0Ѵ;1;uķ blrѴ;l;m|-uķ
l-m|;m;u ‹ l;fou-u 7; l-m;u- 1omঞm†- †m
vbv|;l- 7; ];vঞॕm 7; Ѵ- v;]†ub7-7 7; Ѵ-
bm=oul-1bॕmķ 7; -1†;u7o 1om Ѵov u;t†bvb|ov 7;
;v|-moul-bm|;um-1bom-Ѵĺ

24
 $-ѴѴ;uĹ ;=bmbu;ѴѴ1-m1;7;Ѵ""

25
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

26
Ɣĺb7;u-Œ]o
5.1 Liderazgo y Compromiso

- -Ѵ|- 7bu;11bॕm 7;0; 7;lov|u-u Ѵb7;u-Œ]o ‹

1olruolbvo1omu;vr;1|o-Ѵvbv|;l-7;];vঞॕm
7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmĹ

ĺ v;]†u-m7o t†; v; ;v|-0Ѵ;1;m Ѵ- roѴझ|b1- ‹

Ѵov o0f;|bˆov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm
‹t†;;v|ovv;-m1olr-|b0Ѵ;v1omѴ-7bu;11bॕm
;v|u-|࣐]b1-7;Ѵ-ou]-mbŒ-1bॕmĺ
ĺ v;]†u-m7o Ѵ- bm|;]u-1bॕm 7; Ѵov u;t†bvb|ov
7;Ѵ vbv|;l- 7; ];v|bॕm 7; Ѵ- v;]†ub7-7 7; Ѵ-
bm=oul-1bॕm;mѴovruo1;vov7;Ѵ-ou]-mbŒ-1bॕmĺ
ĺ v;]†u-m7ot†;Ѵovu;1†uvovm;1;v-ubovr-u-
;Ѵ vbv|;l- 7; ];v|bॕm 7; Ѵ- v;]†ub7-7 7; Ѵ-
bm=oul-1bॕm;v|࣐m7bvromb0Ѵ;vĺ

ĺ ol†mb1-m7oѴ-blrou|-m1b-7;†m-];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕm;=b1-Œ‹1om=oul;
1omѴovu;t†bvb|ov7;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ v;]†u-m7ot†;;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕm1omvb]†;Ѵovu;v†Ѵ|-7ov
ru;ˆbv|ovĺ
ĺ bub]b;m7o‹ -ro‹-m7o - Ѵ-v r;uvom-vķ r-u- 1om|ub0†bu - Ѵ- ;=b1-1b- 7;Ѵ vbv|;l- 7; ];v|bॕm 7; Ѵ-
v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ uoloˆb;m7oѴ-l;fou-1om|bm†-ĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

ĺ ro‹-m7oo|uovuoѴ;vr;u|bm;m|;v7;Ѵ-7bu;11bॕmķr-u-7;lov|u-uv†Ѵb7;u-Œ]o-rѴb1-7o-v†v࢙u;-v
7;u;vromv-0bѴb7-7ĺ

Ѵ1olruolbvo7;Ѵ-Ѵ|- bu;11bॕmr†;7;7;lov|u-uv;rou;f;lrѴorouĹ

վ v|-0Ѵ;1b;m7oķruo0-m7o‹ro‹-m7o;Ѵ1†lrѴblb;m|o†m-oѴझ|b1-7;";]†ub7-77;Ѵ-bm=oul-1bॕmĺ
վ ruo0-u‹v;]†u-uѴovu;1†uvovm;1;v-ubovr-u-;Ѵ""ĺ
վ v;]†u-m7ot†;;Ѵ""|b;m;7;=bmb7ovѴovuoѴ;vķѴ-vu;vromv-0bѴb7-7;v‹Ѵ-v-†|oub7-7;vĺ
վ ol†mb1-m7oѴ-blrou|-m1b-7;Ѵ-";]†ub7-77;Ѵ-m=oul-1bॕmĺ
վ o|bˆ-m7o-Ѵov1oѴ-0ou-7ou;vr-u-1om|ub0†bu-Ѵ-;=b1-1b-7;Ѵ""ĺ
վ ou|-Ѵ;1b;m7oѴ-u;m7b1bॕm7;1†;m|-vrouu;v†Ѵ|-7ov7;];v|bॕm7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
վ v|-0Ѵ;1b;m7oѴ-v1om7b1bom;v-7;1†-7-vr-u-;ѴbmˆoѴ†1u-lb;m|o7;Ѵov1oѴ-0ou-7ou;v;m;ѴѴo]uo
7;Ѵovo0f;|bˆov7;v;]†ub7-77;bm=oul-1bॕm7;Ѵ-ou]-mbŒ-1bॕmĺ

27
 ƔĺƑoѴझঞ1-

--Ѵ|-7bu;11bॕm7;0;;v|-0Ѵ;1;u†m-roѴझঞ1-7;v;]†ub7-77;Ѵ-bm=oul-1bॕmt†;Ĺ

ĺ ";--7;1†-7--Ѵruorॕvb|o7;Ѵ-ou]-mbŒ-1bॕmĺ
ĺ m1Ѵ†‹-o0f;|bˆov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmՈ࣐-v;ѵĺƑőoruorou1bom;†ml-u1o7;u;=;u;m1b-
r-u-;Ѵ;v|-0Ѵ;1blb;m|o7;Ѵovo0f;|bˆov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ m1Ѵ†‹-;Ѵ1olruolbvo7;1†lrѴbu1omѴovu;t†bvb|ov-rѴb1-0Ѵ;v-Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ m1Ѵ†‹-;Ѵ1olruolbvo7;l;fou-1om|bm†-7;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ

-roѴझঞ1-7;v;]†ub7-77;Ѵ-bm=oul-1bॕm7;0;Ĺ

ĺ
v|-u 7bvromb0Ѵ; 1olo bm=oul-1bॕm
7o1†l;m|-7-ĺ
ĺ ol†mb1-uv;7;m|uo7;Ѵ-ou]-mbŒ-1bॕmĺ
ĺ v|-u 7bvromb0Ѵ; r-u- Ѵ-v r-u|;v bm|;u;v-7-vķ
v;]িmv;--ruorb-7oĺ

Ѵ]†movl࣐|o7ov7;1ol†mb1-1bॕmbm|;um-7;Ѵ-
oѴझঞ1-7;";]†ub7-77;Ѵ-m=oul-1bॕmr†;7;m
v;uѴovvb]†b;m|;vĹ

վ m7†11bॕm‹;m|u;m-lb;m|ol;7b-m|;1_-uѴ-vĺ
վ mˆझorou1ouu;o;Ѵ;1|uॕmb1oĺ
m|u;]-7;l-m;u-r;uvom-Ѵĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

վ
վ †0Ѵb1-1bॕm ;m |-0Ѵom;v 7; -m†m1bov
Ő ;1Ѵ-u-1bॕm 7; oѴझ|b1- 7; ";]†ub7-7 7; Ѵ-
m=oul-1bॕmőĺ
վ †0Ѵb1-1bॕm;mѴ-m|u-m;|1ourou-|bˆ-ĺ
oo0v|-m|;;v|ovl࣐|o7ovr†;7;m†v-uv;7;l-m;u-bm7bˆb7†-Ѵo7;=oul-1ol0bm-7-1olor-u|;
7;†muo]u-l-r;ul-m;m|;7;";mvb0bѴbŒ-1bॕm;m";]†ub7-77;Ѵ-m=oul-1bॕm‹v;7;0;-v;]†u-u
t†;Ѵov1oѴ-0ou-7ou;v1olru;m7-m‹;mঞ;m7-mѴ-oѴझঞ1-7;";]†ub7-77;Ѵ-m=oul-1bॕmĸ;v|ov
u;v†Ѵ|-7ov r†;7;m l;7buv; l;7b-m|; Ѵ- u;-ѴbŒ-1bॕm 7; ;ˆ-Ѵ†-1bom;v r;ubॕ7b1-v‹ -vझ ];m;u-u
u;]bv|uov1omѴovu;v†Ѵ|-7ovo0|;mb7ov‹7;|;ulbm-ul;fou-vĺ

28
5.3 Roles, Responsabilidades y Autoridades en la Organización
--Ѵ|-7bu;11bॕm7;0;-v;]†u-uv;t†;Ѵ-vu;vromv-0bѴb7-7;v‹-†|oub7-7;vr-u-ѴovuoѴ;vr;uঞm;m|;v
-Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmv;-vb]m;m‹1ol†mbt†;m7;m|uo7;Ѵ-ou]-mbŒ-1bॕmĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

La alta dirección debe asignar la responsabilidad y autoridad para:

ĺ v;]†u-uv; t†; ;Ѵ vbv|;l- 7; ];v|bॕm 7; Ѵ- v;]†ub7-7 7; Ѵ- bm=oul-1bॕm ;v 1om=oul; 1om Ѵov
u;t†bvb|ov7;;v|-moul-bm|;um-1bom-Ѵĺ
ĺ m=oul-u-Ѵ--Ѵ|-7bu;11bॕmvo0u;;Ѵ1olrou|-lb;m|o7;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-
bm=oul-1bॕmĺ

$Ĺ--Ѵ|-7bu;11bॕm|-l0b࣐mr†;7;-vb]m-uu;vromv-0bѴb7-7;v‹-†|oub7-7;vr-u-bm=oul-uvo0u;
;Ѵ 1olrou|-lb;m|o 7;Ѵ vbv|;l- 7; ];vঞॕm 7; Ѵ- v;]†ub7-7 7; Ѵ- bm=oul-1bॕm 7;m|uo 7; Ѵ-
ou]-mbŒ-1bॕmĺ

29
 m;v|-=-v;7;_-7;7;Cmbu1Ѵ-u-l;m|;Ѵov!oѴ;vķ!;vromv-0bѴb7-7;v‹†|oub7-7;vvo0u;";]†ub7-7
7;Ѵ-m=oul-1bॕmr-u-;ѴѴo;vm;1;v-ubo7;vb]m-u-Ѵu;vromv-0Ѵ;7;v;]†ub7-77;Ѵ-m=oul-1bॕmķ
;v|-0Ѵ;1;uѴ-v-†|oub7-7;vt†;r†;7;mv;ul;7b-m|;Ѵ-7;vb]m-1bॕm7;†molb|࣐""ĺ

-v0†;m-vru-1ঞ1-vmovbm7b1-mt†;;v|;olb|࣐""r†;7;;v|-u1om=oul-7orouu;ru;v;m|-m|;vѴ-v
࢙u;-v7;Ѵ-u;Ѵ;ˆ-m|;v7;Ѵ-ou]-mbŒ-1bॕm1olorou;f;lrѴoѴ|- bu;11bॕmķ7lbmbv|u-1bॕm‹ bm-mŒ-vķ
!;1†uvov†l-movķ$;1moѴo]झ-7;m=oul-1bॕm‹;]-Ѵĺ

vblbvlov;7;0;m;v|-0Ѵ;1;uѴ-vu;vromv-0bѴb7-7;vr-u-;ѴC1b-Ѵ7;";]†ub7-77;Ѵ-m=oul-1bॕmķ
;Ѵolb|࣐""Ő7;v;u;Ѵ1-voő‹ѴovoѴ-0ou-7ou;v7;Ѵ-u]-mbŒ-1bॕmĺ

vblrou|-m|;t†;|;m;u;m1†;m|-t†;;Ѵu;vromv-0Ѵ;7;";]†ub7-77;Ѵ-m=oul-1bॕmmo7;0;
7;r;m7;u f;u࢙ut†b1-l;m|; 7;Ѵ ࢙u;- 7; $ rout†; v; 7;0; |;m;u bm7;r;m7;m1b- ‹ r;ulbঞu
-7;1†-7-l;m|;v;1†lrѴ-1omѴ-v;]u;]-1bॕm7;=†m1bom;vĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

30
 ѵĺѴ-mb=b1-1bॕm

31
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)
 6.1 Acciones para Tratar los Riesgos y Oportunidades

6.1.1 Consideraciones Generales

ѴrѴ-mbC1-u;Ѵvbv|;l-7;];vঞॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmķѴ-ou]-mbŒ-1bॕm7;0;1omvb7;u-u
Ѵ-v1†;vঞom;v-Ѵ-vt†;v;_-1;u;=;u;m1b-;m;Ѵ-r-u|-7oƓĺƐ‹Ѵovu;t†bvb|ovbm1Ѵ†b7ov;m;Ѵapartado
ƓĺƑķ‹7;|;ulbm-uѴovub;v]ov‹orou|†mb7-7;vt†;;vm;1;v-ubo|u-|-u1om;ѴCm7;Ĺ

ĺ v;]†u-ut†;;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmr†;7-1omv;]†buv†vu;v†Ѵ|-7ov
ru;ˆbv|ovĺ
ĺ u;ˆ;mbuou;7†1bu;=;1|ovbm7;v;-7ovĺ
ĺ o]u-uѴ-l;fou-1om|bm†-ĺ

-ou]-mbŒ-1bॕm7;0;rѴ-mbC1-uĹ

ĺ -v-11bom;vr-u-|u-|-u;v|ovub;v]ov‹orou|†mb7-7;vĺ
ĺ -l-m;u-7;Ĺ
Ɛĺ m|;]u-u;blrѴ;l;m|-uѴ-v-11bom;v;mѴovruo1;vov7;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;
Ѵ-bm=oul-1bॕmĺ
Ƒĺ ˆ-Ѵ†-uѴ-;=b1-1b-7;;v|-v-11bom;vĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

6.1.2 Apreciación de Riesgos de Seguridad de la Información

-ou]-mbŒ-1bॕm7;0;7;Cmbu‹-rѴb1-u†mruo1;vo7;-ru;1b-1bॕm7;ub;v]ov7;v;]†ub7-77;Ѵ-
bm=oul-1bॕmt†;Ĺ

ĺ v|-0Ѵ;Œ1-‹l-m|;m]-1ub|;ubovvo0u;ub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmbm1Ѵ†‹;m7oĹ
Ɛĺ ov1ub|;ubov7;-1;r|-1bॕm7;Ѵovub;v]ovĺ
Ƒĺ ov1ub|;ubovr-u-ѴѴ;ˆ-u-1-0oѴ-v-ru;1b-1bom;v7;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ v;]†u;t†;Ѵ-vv†1;vbˆ-v-ru;1b-1bom;v7;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕm];m;u-m
u;v†Ѵ|-7ov1omvbv|;m|;vķˆ࢙Ѵb7ov‹1olr-u-0Ѵ;vĺ

32
ĺ 7;m|b=bt†;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĹ
Ɛĺ Ѵ;ˆ-m7o - 1-0o ;Ѵ ruo1;vo 7; -ru;1b-1bॕm 7; ub;v]ov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm r-u-
b7;m|b=b1-uѴovub;v]ov-vo1b-7ov-Ѵ-r࣐u7b7-7;1om=b7;m1b-Ѵb7-7ķbm|;]ub7-7‹7bvromb0bѴb7-77;
Ѵ-bm=oul-1bॕm;m;Ѵ-Ѵ1-m1;7;Ѵvbv|;l-7;];v|bॕm7;Ѵ-v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
Ƒĺ 7;m|b=b1-m7o-Ѵov7†;ोov7;Ѵovub;v]ovĺ

Propietario del riesgo:;uvom-o;mঞ7-7t†;ঞ;m;Ѵ-u;vromv-0bѴb7-7‹-†|oub7-7r-u-];vঞom-u†m

ub;v]oĺ

Riesgo: =;1|o7;Ѵ-bm1;uঞ7†l0u;;mѴovo0f;ঞˆovĺ

&m;=;1|o;v†m-7;vˆb-1bॕm7;Ѵo;vr;u-7oĸr†;7;v;urovbঞˆoķm;]-ঞˆoo-l0ovķ‹r†;7;-0ou7-uķ
1u;-uou;v†Ѵ|-u;morou|†mb7-7;v‹-l;m-Œ-vĺ

ovbঞˆoĹ-m-m1b-o|;m1b-Ѵņ;]-ঞˆoĹ"†1;vor;uf†7b1b-Ѵĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

ovo0f;ঞˆovr†;7;m|;m;u7b=;u;m|;v-vr;1|ov‹1-|;]ouझ-vķ‹r†;7;m-rѴb1-uv;-7b=;u;m|;vmbˆ;Ѵ;vĺ

Ѵub;v]ov;;Šru;v-];m;u-Ѵl;m|;;m|࣐ulbmov7;=†;m|;v7;ub;v]oķ;ˆ;m|ovro|;m1b-Ѵ;vķv†v
1omv;1†;m1b-v‹v†ruo0-0bѴb7-7ĺ

Nivel de riesgo:-]mb|†77;†mub;v]o;Šru;v-7-;m|࣐ulbmov7;Ѵ-1ol0bm-1bॕm7;Ѵ-v1omv;1†;m1b-v
‹7;v†ruo0-0bѴb7-7ĺ

ovub;v]ov7;v;]†ub7-77;Ѳ-bm=oul-1bࡱmvomѲov-vo1b-7ov-Ѳ-rߪu7b7-7;Ѳ-1omC7;m1b-Ѳb7-7Ķbm|;]ub7-7
y disponibilidad para la información.

33
 Propietario del riesgo:;uvom-o;mঞ7-7t†;ঞ;m;Ѵ-u;vromv-0bѴb7-7‹-†|oub7-7r-u-];vঞom-u†m
ub;v]oĺ

Amenaza:-†v-ro|;m1b-Ѵ7;†mbm1b7;m|;mo7;v;-7oķ;Ѵ1†-Ѵr†;7;o1-vbom-u7-ोo-†mvbv|;l-
o-†m-ou]-mbŒ-1bॕmĺ

Vulnerabilidad: ;0bѴb7-77;†m-1ঞˆoo1om|uoѴt†;r†;7;v;u-ruoˆ;1_-7orou†m-ol࢙v-l;m-Œ-vĺ

Control:l;7b7-t†;lo7bC1-;Ѵub;v]oĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

ĺ m-Ѵb1;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĹ
Ɛĺ (-Ѵou-m7o Ѵ-v rovb0Ѵ;v 1omv;1†;m1b-v t†; u;v†Ѵ|-uझ-m vb Ѵov ub;v]ov b7;m|b=b1-7ov ;m ;Ѵ r†m|o
6.1.2 c) 1)ѴѴ;]-v;m-l-|;ub-ѴbŒ-uv;ĺ
Ƒĺ (-Ѵou-m7o 7; =oul- u;-Ѵbv|- Ѵ- ruo0-0bѴb7-7 7; o1†uu;m1b- 7; Ѵov ub;v]ov b7;m|b=b1-7ov ;m ;Ѵ
r†m|o6.1.2 c) 1).
ƒĺ ;|;ulbm-m7oѴovmbˆ;Ѵ;v7;ub;v]oĺ
ĺ ˆ-Ѵি;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĹ
Ɛĺ olr-u-m7oѴovu;v†Ѵ|-7ov7;Ѵ-m࢙Ѵbvbv7;ub;v]ov1omѴov1ub|;ubov7;ub;v]o;v|-0Ѵ;1b7ov;m;Ѵ
r†m|o6.1.2 a).
Ƒĺ uboubŒ-m7o;Ѵ|u-|-lb;m|o7;Ѵovub;v]ov-m-ѴbŒ-7ovĺ

- ou]-mbŒ-1bॕm 7;0; 1omv;uˆ-u bm=oul-1bॕm 7o1†l;m|-7- vo0u; ;Ѵ ruo1;vo 7; -ru;1b-1bॕm 7;
ub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ

34
6.1.3 Tratamiento de los Riesgos de Seguridad de la Información

-ou]-mbŒ-1bॕm7;0;7;Cmbu‹;=;1|†-u†mruo1;vo7;|u-|-lb;m|o7;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-
bm=oul-1bॕmr-u-Ĺ

ĺ ";Ѵ;11bom-u Ѵ-v or1bom;v -7;1†-7-v 7; |u-|-lb;m|o 7; ub;v]ov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm
|;mb;m7o;m1†;m|-Ѵovu;v†Ѵ|-7ov7;Ѵ--ru;1b-1bॕm7;ub;v]ovĺ
ĺ ;|;ulbm-u|o7ovѴov1om|uoѴ;vt†;v;-mm;1;v-ubovr-u-blrѴ;l;m|-uѴ-Ővőor1bॕmŐ;vő;Ѵ;]b7-Ővő7;
|u-|-lb;m|o7;ub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ

NOTA:-vou]-mbŒ-1bom;vr†;7;m7bv;ो-u1om|uoѴ;vv;]িmv;-m;1;v-uboķob7;mঞC1-uѴov-r-uঞu7;
1†-Ѵt†b;u=†;m|;ĺ

ĺ olr-u-uѴov1om|uoѴ;v7;|;ulbm-7ov;m;Ѵr†m|o6.1.3 b)1omѴov7;Ѵ-m;Šo‹1olruo0-ut†;mo
v;_-molb|b7o1om|uoѴ;vm;1;v-ubovĺ

NOTA 1: Ѵ-m;Šo1omঞ;m;†m--lrѴb-Ѵbv|-7;o0f;ঞˆov7;1om|uoѴ‹1om|uoѴ;vĺ";bm7b1--Ѵov

†v†-ubov7;;v|-moul-bm|;um-1bom-Ѵt†;v;7bubf-m-Ѵ-m;Šor-u--v;]†u-ut†;mov;r-v-mrou
-Ѵ|o1om|uoѴ;vm;1;v-ubovĺ

NOTA 2Ĺovo0f;ঞˆov7;1om|uoѴv;bm1Ѵ†‹;mblrѴझ1b|-l;m|;;mѴov1om|uoѴ;vv;Ѵ;11bom-7ovĺov
o0f;ঞˆov7;1om|uoѴ‹Ѵov1om|uoѴ;v;m†l;u-7ov;m;Ѵ-m;Šomovom;Š_-†vঞˆovķrouѴot†;r†;7;m
v;um;1;v-ubovo0f;ঞˆov7;1om|uoѴ‹1om|uoѴ;v-7b1bom-Ѵ;vĺ

ĺ Ѵ-0ou-u †m- ľ ;1Ѵ-u-1bॕm 7; rѴb1-0bѴb7-7Ŀ

t†;1om|;m]-Ĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

վ ov1om|uoѴ;vm;1;v-ubovŒˆ࣐-v; 6.1.3 b) y c)].
վ La justificación de las inclusiones.
վ "b Ѵov 1om|uoѴ;v m;1;v-ubov ;v|࢙m
blrѴ;l;m|-7ovomoĺ
վ La justificación de las exclusiones de
1†-Ѵt†b;u-7;Ѵov1om|uoѴ;v7;Ѵ-m;Šoĺ

35
 ĺ oul†Ѵ-uun plan de tratamiento de riesgos7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ

ĺ 0|;m;u Ѵ- -ruo0-1bॕm 7;Ѵ rѴ-m 7; |u-|-lb;m|o 7; ub;v]ov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm ‹ Ѵ-
-1;r|-1bॕm7;Ѵovub;v]ovu;vb7†-Ѵ;v7;v;]†ub7-77;Ѵ-bm=oul-1bॕmrour-u|;7;Ѵov7†;ोov7;Ѵov
ub;v]ovĺ

- ou]-mbŒ-1bॕm 7;0; 1omv;uˆ-u bm=oul-1bॕm 7o1†l;m|-7- vo0u; ;Ѵ ruo1;vo 7; |u-|-lb;m|o 7;
ub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ

NOTAĹ--ru;1b-1bॕm7;Ѵovub;v]ov7;v;]†ub7-77;Ѵ-bm=oul-1bॕm‹;Ѵruo1;vo7;|u-|-lb;m|o
u;1o]b7o;m;v|-moul-bm|;um-1bom-Ѵv;-Ѵbm;-m1omѴovrubm1brbov‹7bu;1|ub1;v];m࣐ub1-v7;Cmb7ov
;mѴ-oul-"ƒƐƏƏƏĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

Estrategias

bঞ]-uĹ lrѴ;l;m|o 1om|uoѴ;v r-u- u;7†1bu ;Ѵ

mbˆ;Ѵ7;ub;v]oĺ

Asumir: ";-v†l;ou;ঞ;m;;Ѵub;v]o;mv†mbˆ;Ѵ
-1|†-Ѵĺ

Transferir: olr-u|o;Ѵub;v]o1omr-u|;v;Š|;um-v
Ő1olru-7;†mv;]†uoo|;u1;ubŒ-1bॕm7;v;uˆb1bovőĺ

Eliminar:-m1;ѴoѴ--1ঞˆb7-7t†;];m;u-;Ѵub;v]oĺ

36
Plan de Tratamiento de Riesgos

6.1 Acciones para Tratar los Riesgos y Oportunidades

Riesgo residual:ub;v]ou;l-m;m|;7;vr†࣐v7;Ѵ|u-|-lb;m|o7;Ѵub;v]oĺ

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

v|u†1|†u-7;Ѵ-oul-"ƒƐƏƏƏ;vঞॕm7;!b;v]ovŋ bu;1|ub1;v

վ v|; 7o1†l;m|o ruorou1bom- 7bu;1|ub1;v r-u- ];v|bom-u ;Ѵ ub;v]o -Ѵ t†; v; ;m=u;m|-m Ѵ-v
ou]-mbŒ-1bom;vĺ--rѴb1-1bॕm7;;v|-v7bu;1|ub1;vr†;7;-7-r|-uv;-1†-Ѵt†b;uou]-mbŒ-1bॕm‹-v†
1om|;Š|oĺ

վ v|;7o1†l;m|oruorou1bom-†m;m=ot†;1olিmr-u-];v|bom-u1†-Ѵt†b;u|bro7;ub;v]o‹mo;v
;vr;1झ=b1o7;†m-bm7†v|ub-o†mv;1|ouĺ

վ v|;7o1†l;m|or†;7;†|bѴbŒ-uv;-ѴoѴ-u]o7;Ѵ-ˆb7-7;Ѵ-ou]-mbŒ-1bॕm‹r†;7;-rѴb1-uv;-1†-Ѵt†b;u
-1|bˆb7-7ķbm1Ѵ†‹;m7oѴ-|ol-7;7;1bvbom;v-|o7ovѴovmbˆ;Ѵ;vĺ

37
 ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

38
$-ѴѴ;uĹ ;=bmbu ;1Ѵ-u-1bॕm 7;
rѴb1-0bѴb7-7 r-u- Ɣ om|uoѴ;v 7;Ѵ
m;Šo

ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

39
 ѵĺƑ0f;ঞˆov7;";]†ub7-77;Ѵ-m=oul-1bॕm‹Ѵ-mbC1-1bॕmr-u-v†omv;1†1bॕm

- ou]-mbŒ-1bॕm 7;0; ;v|-0Ѵ;1;u Ѵov o0f;ঞˆov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm ;m Ѵ-v =†m1bom;v‹
mbˆ;Ѵ;vr;uঞm;m|;vĺ

ovo0f;ঞˆov7;v;]†ub7-77;Ѵ-bm=oul-1bॕm7;0;mĹ

ĺ ";u1o_;u;m|;v1omѴ-roѴझ|b1-7;v;]†ub7-77;Ѵ-bm=oul-1bॕmĺ
ĺ ";ul;7b0Ѵ;vŐvb;vrovb0Ѵ;őĺ
ĺ $;m;u ;m 1†;m|- Ѵov u;t†bvb|ov 7; v;]†ub7-7 7; Ѵ- bm=oul-1bॕm -rѴb1-0Ѵ;v ‹ Ѵov u;v†Ѵ|-7ov 7; Ѵ-
-ru;1b-1bॕm‹7;Ѵ|u-|-lb;m|o7;Ѵovub;v]ovĺ
ĺ ";u1ol†mb1-7ovĺ
ĺ ";u-1|†-ѴbŒ-7ovķv;]িmv;--ruorb-7oĺ

-ou]-mbŒ-1bॕm7;0;1omv;uˆ-ubm=oul-1bॕm7o1†l;m|-7-vo0u;Ѵovo0f;ঞˆov7;v;]†ub7-77;Ѵ-
bm=oul-1bॕmĺ

†-m7ov;_-1;Ѵ-rѴ-mbC1-1bॕmr-u-Ѵ-1omv;1†1bॕm7;Ѵovo0f;ঞˆov7;v;]†ub7-77;Ѵ-bm=oul-1bॕmķ
Ѵ-ou]-mbŒ-1bॕm7;0;7;|;ulbm-uĹ

ĺ ot†;v;ˆ--_-1;uĺ
ĺ †࣐u;1†uvovv;u;t†;ubu࢙mĺ
ĺ †b࣐mv;u࢙u;vromv-0Ѵ;ĺ
ĺ †࢙m7ov;=bm-ѴbŒ-u࢙ĺ
ĺ ॕlov;;ˆ-Ѵ†-u࢙mѴovu;v†Ѵ|-7ovĺ
ISO 27001 INTERNAL AUDITOR / LEAD AUDITOR (I27001IA/LA)

f;lrѴo7;†mo0f;ঞˆo7;Ѵ""r-u-;Ѵ";uˆb1bo7;";]†ub7-7;vঞom-7-rou†m";1†ub|‹r;u-ঞom
;m|;uŐ"őĺ

40