Guest user Created: Nov 19, 2016 Last commented: Nov 19, 2016

Filling the risk assessment table

If I have an asset with a threat and related vulnerabilities, and I know that I will need to implement 2 or more controls to take the risk to an acceptable level, do I need to specify how much each control will decrease the risk, or is it enough to put the result on a single row?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 19, 2016

Answer: Sometimes the protective effect only takes place when several controls are applied together (e.g., for physical protection, implementing security perimeter without entry controls, or vice versa, does not make much sense). If one fails, the whole protection may be compromised. In cases like this it is enough to put the result on a single row. So, you should assess the effect of all controls implemented for a particular risk to decide how to record them in your Risk Treatment Table.

By the way, together with the toolkit you have received access to video tutorial called How to Implement Risk Treatment According to ISO 27001 which explains exactly how t his is done - I would recommend you watch this tutorial because it will explain you what does the standard require, what options do you have, how to fill out the data, etc.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 19, 2016

Expert Advice Community