Consequence and Likelihood after Risk Treatment
We are developing our Risk Register using the Advisera Templates. We have to mention the values of Consequence and Likelihood after the Risk Treatment i.e. Residual Risk. Will application of a control reduce the “Consequence” as well.
For example “Unauthorized Physical Access to data Center” may have a “High” consequence and “Medium” likelihood. After application of controls like CCTV/Door Lock we can reduce likelihood to “low” but will it reduce the “Consequence” as well.
Even after the control is applied if there is a breach it will have the same Consequences.
Assign topic to the user
Not all controls affect the consequence and likelihood at the same time. The controls you mentioned works only to prevent Unauthorized Physical Access. Once access is gained, they cannot provide any means to avoid damage to assets. Examples of controls you can consider to reduce the impact on information assets are backup and redundancy.
This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding controls selection:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Feb 11, 2020