We are using Conformio for our ISO 27001 program, and I have a question about completing the risk register. I'm at the risk treatment phase, and I'm starting to think I may have had the wrong idea about how use the risk register.
We have a mature security culture, and we have many controls already in place. When I went through the risk scoring process, I scored the likelihood based on the controls we already have in place. So, in many cases, the likelihood was low or medium based on the presence of multiple existing controls.
I only scored the likelihood as high where we don’t have adequate controls already in place. Then, I worked through the “unacceptable” risks in the treatment phase.
The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?
We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase. It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks. I don’t want to fail the audit, however.
Also, will this affect the Statement Of Applicability?