Does the Impact Reduce When applying Controls
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Here the likelihood reduces but impact remains same.
On the other hand,
Threat - Fire
Vulnerability - Lack of fire extinguishers
Control -Back up of info at alternate site
Here the control does not reduce the impact as the information would be anyway be impacted
I have read
NOTE: When assigning an impact rating to a risk, assign the rating corresponding to the most serious consequence that could result should the vulnerability be exploited.
Kindly let me know your thoughts.
Actually, you have hit the core of the issue with risk assessment and treatment - theoretically, the controls can reduce both the impact and the likelihood, but in 99% of the cases they will reduce only the likelihood.
Here's an example where the control will reduce both the impact and the likelihood:
Asset: database
Threat: electricity outage
Vulnerability: no alternative power source
Control: implement UPS.
With the implementation of intelligent uninterruptible power supply (that will shut down the server once its battery is almost empty) not only will the likelihood reduce, but also the impact because the server will be shut down in a controllable fashion, which means the database integrity will be preserved.
Comment as guest or Sign in
Jan 12, 2016