Risk acceptance
Assign topic to the user
Answer: For ISO 27001, there are three possible justifications to not implement a control:
1) there is no relevant risk that justifies the control implementation;
2) the organization decides to accept the risks in all situations which would justify the control implementation; and
3) the organization decides to accept the risks in a case by case basis, i.e. implementing the control in some projects and not in others.
For options 2 and 3, the decision could be based on an evaluation of the impacts of implementing the control (e.g., loss of business opportunities, loss of prod uctivity) versus the potential losses caused by an incident that happens because of the control's absence.
This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Feb 21, 2017