Guest
risk assessment and controls
for risk assessment if I identify the threat and vulnerability but i already applied control then do I have to mention that risk?
example
asset(server) threat (no electricity) vulnerability (no ups)
but I already have UPS , so do I have to add that record in the assessment table and put the likelihood "low"? or I will not add it because there is no vulnerability?
Assign topic to the user
May,
You have to identify all the risks, even though you have implemented a control for some of them - it is true that in such cases the likelihood will be low, but the risk still exists.
If the value of such risk turns out to be acceptable, then of course you won't have to treat the risk; it some cases it might happen that such risk is still unacceptable (because the existing control is not enough), so you will have to apply some additional controls.
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016