Tag: "risk register" - Expert Advice Community

Home / risk register

Discussions

Top Contributors

Expert

Rhand Leal

4115
Discussions
Expert

Carlos Pereira da Cruz

1906
Discussions
Expert

Dejan Kosutic

366
Discussions

Most Popular Tags

Product: Conformio Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 Documentation Toolkit ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit register of requirements Certification ISO 14001
Category:
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Information security risk assessment question

    Hello,

    We are using Conformio for our ISO 27001 program, and I have a question about completing the risk register.  I'm at the risk treatment phase, and I'm starting to think I may have had the wrong idea about how use the risk register.

    We have a mature security culture, and we have many controls already in place.  When I went through the risk scoring process, I scored the likelihood based on the controls we already have in place.  So, in many cases, the likelihood was low or medium based on the presence of multiple existing controls.

    I only scored the likelihood as high where we don’t have adequate controls already in place.  Then, I worked through the “unacceptable” risks in the treatment phase.

    The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?

    We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase.  It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks.  I don’t want to fail the audit, however.

    Also, will this affect the Statement Of Applicability?

  • Conformio risk register, confused by some of the threat mappings for Human Resources

    The Conformio risk register defines the following
    • Threat is what kind of negative thing can happen to your asset because the vulnerability exists.
    The mapping path is Asset to Vulnerabilty to Threat Asset: Employees with specific expertiese ( system admin, security experts ) Vulnerability: Replacement person does not exist or is inadequate Threat:  Earthquake / Fire / Flood / Storm ? Of the 12 items listed, only 2 seem reasonable - breach of contracts and information disclosure Seems like this mapping needs some work, or am I misunderstanding something ?

  • Opportunities and environmental aspects and impacts

    We have Environmental Aspect / Impact register, but how to incorporate the opportunities in the Environmental Aspect Impact Register