Narrowing down the list of risks
Assign topic to the user
What is the best practice to group info Sec risks?
Answer: I assume you refer to our article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ - if you come up with 500 risks, this doesn't mean that you have to treat all of them - you will need to treat only unacceptable risks, and this is usually 10% or 20% of all the risks you have identified.
If you still want to reduce the number of risks, then I suggest to group similar assets into a single class of assets - e.g. you could group all the servers into a single class of assets, or your laptops, etc.
These materials explain in detail how to perform the risk assessment:
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
How do you suggest to aggregate and report to business owners so the risks are technical jargon free, etc.
Answer: You should present only the biggest (unacceptable) risks to your business owners/top management, and you can use small scenarios (in couple of sentences) - what could happen if such incident happens.
Here is a template which provides examples of scenarios, focused mainly on larger incidents: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/
Comment as guest or Sign in
Jul 28, 2016