1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables?
Because I haven’t used the vulnerability-threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)?
Answer: The logic behind the Risk Register in Conformio is the same as the Risk Assessment and Risk Treatment Tables in the documentation toolkit:
- Identification of assets – vulnerabilities - threats
- definition of risk value (risk analysis
- definition of risk treatment option
- definition of applicable controls
You need to define controls for each set of “asset-vulnerability-threat”. You do not need to select controls specifically for vulnerabilities or threats, but in some cases, this approach is useful when a single control is not enough to reduce risk to acceptable levels.
Regarding already implemented controls, you need to take them into account when defining risk value, as well as record this information in the observation field of the risk.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to use Conformio ISO 27001 risk assessment software https://advisera.com/conformio/blog/2021/06/27/how-to-use-conformio-iso-27001-risk-assessment-software/
2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only?
Answer: Currently version of Conformio only works with controls from ISO 27001 Annex A.
3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that?
Answer: Residual risk is automatically calculated by Conformio based on these criteria:
- number of applied controls
- a type of applied controls
- covered sections of Annex A controls
But you also can define the residual risk values manually during risk treatment step in the Risk Register, depending on the risk treatement options chosen.