Tag: "risk register" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Information security risk assessment question


    We are using Conformio for our ISO 27001 program, and I have a question about completing the risk register.  I'm at the risk treatment phase, and I'm starting to think I may have had the wrong idea about how use the risk register.

    We have a mature security culture, and we have many controls already in place.  When I went through the risk scoring process, I scored the likelihood based on the controls we already have in place.  So, in many cases, the likelihood was low or medium based on the presence of multiple existing controls.

    I only scored the likelihood as high where we don’t have adequate controls already in place.  Then, I worked through the “unacceptable” risks in the treatment phase.

    The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?

    We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase.  It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks.  I don’t want to fail the audit, however.

    Also, will this affect the Statement Of Applicability?

  • Conformio risk register, confused by some of the threat mappings for Human Resources

    The Conformio risk register defines the following
    • Threat is what kind of negative thing can happen to your asset because the vulnerability exists.
    The mapping path is Asset to Vulnerabilty to Threat Asset: Employees with specific expertiese ( system admin, security experts ) Vulnerability: Replacement person does not exist or is inadequate Threat:  Earthquake / Fire / Flood / Storm ? Of the 12 items listed, only 2 seem reasonable - breach of contracts and information disclosure Seems like this mapping needs some work, or am I misunderstanding something ?
  • Opportunities and environmental aspects and impacts

    We have Environmental Aspect / Impact register, but how to incorporate the opportunities in the Environmental Aspect Impact Register