SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Inherent vs Residual Risk

  Quote
Brian Created:   Nov 22, 2019 Last commented:   Nov 26, 2019

Inherent vs Residual Risk

Considering the initial risk assessment is done taking into account controls already in-place, is it accurate to say that if these controls are sufficient, there should be no change between the inherent and residual risk score? Added to which, are there any circumstances where you would risk assess assuming NO controls?  You wouldn't approach a risk assessment for crossing the road with worst-case scenario at the outset, i.e. with a blindfold, earplugs and at rush-hour there is a high probability you will be killed?! That can't be your starting point or all risk assessments would be artificially skewed.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 26, 2019

1. Considering the initial risk assessment is done taking into account controls already in-place, is it accurate to say that if these controls are sufficient, there should be no change between the inherent and residual risk score?

Your understanding is correct. If the assessed risk, considering controls already in-place, are considered acceptable according to your defined criteria, then assessed risk and residual risk are the same.

2. Added to which, are there any circumstances where you would risk assess assuming NO controls?  You wouldn't approach a risk assessment for crossing the road with worst-case scenario at the outset, i.e. with a blindfold, earplugs and at rush-hour there is a high probability you will be killed?! That can't be your starting point or all risk assessments would be artificially skewed.

An example of a circumstance where you would assess a risk, assuming NO controls applied, is to identify the full impact of the risk occurring, so you can evaluate whether the effort and cost of applied controls are worthy.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 22, 2019

Nov 26, 2019