Expert Advice Community

Information security risk assessment question

  Quote
Created:   Dec 22, 2022 Last commented:   Dec 27, 2022

Information security risk assessment question

Hello,

We are using Conformio for our ISO 27001 program, and I have a question about completing the risk register.  I'm at the risk treatment phase, and I'm starting to think I may have had the wrong idea about how use the risk register.

We have a mature security culture, and we have many controls already in place.  When I went through the risk scoring process, I scored the likelihood based on the controls we already have in place.  So, in many cases, the likelihood was low or medium based on the presence of multiple existing controls.

I only scored the likelihood as high where we don’t have adequate controls already in place.  Then, I worked through the “unacceptable” risks in the treatment phase.

The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?

We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase.  It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks.  I don’t want to fail the audit, however.

Also, will this affect the Statement Of Applicability?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 27, 2022

1 - The big question I have is, should I have scored the risks based on not having any controls in place already, and documented the controls in the treatment phase?

We have identified over 300 risks, and had 24 risks that needed addressing in the treatment phase.  It would be a large amount of work to go back and re-score everything, not to mention having to document every existing control for 300+ risks.  I don’t want to fail the audit, however.

Answer: The Risk assessment needs to be performed considering existing controls, so your assessment was performed correctly. You can use the comment field in the risk register to inform which controls are already implemented to treat that risk. As a tip, you should include information in terms of controls of Annex A. 


2 - Also, will this affect the Statement Of Applicability?

Answer: About the SoA, you need to review it to include manually for each control the reference to each risk treated by it in the initial assessment.

For example, if a hypothetical risk #32, related to service disruption, is assessed as low risk because you already have implemented a contingency plan to treat it, then you need to include:
- in the comment in risk #32 the information about this implemented contingency plan
-  in the SoA this risk #32 as a justification to implement control A.5.29 (Information security during disruption)

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 22, 2022

Dec 27, 2022

Suggested Topics