Guest
Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:
1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?
2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21
The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.
Thanks