Existing controls decrease the level of risk
Assign topic to the user
Answer:
Your process is correct - if you have controls currently in place, they will reduce the risk to an acceptable level, so no new controls will be needed. However, in most cases during the risk assessment you'll find the risks for which you do not have controls for, so for such risks you will have to identify controls in the risk treatment - for example, very often there are no controls in place against risks related to your own employees (e.g. system administrator with malicious intent) or for external services (e.g. cloud service provider cancelling your account).
I assume you already watched the risk assessment video tutorial that comes with the toolkit, and these articles w ill also help you:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
By the way, risk assessment process is also explained in this free online training: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jul 12, 2016