difference between total risk and residual risk?
Answer:
I am sorry but ISO 27001 uses the term risk and residual risk (total risk is not used). A risk is the effect of uncertainty on objectives, while residual risk is the risk remaining after the risk treatment. So, basically before implement the security controls you have risks related to information security in your business (you need to reduce them), and after implementing controls the reduced risk is the residual risk (keep in mind that generally you cannot eliminate absolutely the risk).
Maybe this article about the residual risk can be interesting for you Why is residual risk so important? : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Comment as guest or Sign in
Jan 13, 2016