Expert Advice Community

Guest

Narrowing down the list of risks

  Quote
Guest
Guest user Created:   Jul 28, 2016 Last commented:   Jul 28, 2016

Narrowing down the list of risks

It says it's reasonable to have 500 risks at Enterprise level, we need to narrow down that list to a even shorter list
0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Jul 28, 2016
What is the best practice to group info Sec risks?

Answer: I assume you refer to our article ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/ - if you come up with 500 risks, this doesn't mean that you have to treat all of them - you will need to treat only unacceptable risks, and this is usually 10% or 20% of all the risks you have identified.

If you still want to reduce the number of risks, then I suggest to group similar assets into a single class of assets - e.g. you could group all the servers into a single class of assets, or your laptops, etc.

These materials explain in detail how to perform the risk assessment:
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- free online training ISO 27001 Foundations Course https://training.advisera.com/se/iso-14001-internal-auditor-course/o-27001-foundations-course/

How do you suggest to aggregate and report to business owners so the risks are technical jargon free, etc.

Answer: You should present only the biggest (unacceptable) risks to your business owners/top management, and you can use small scenarios (in couple of sentences) - what could happen if such incident happens.

Here is a template which provides examples of scenarios, focused mainly on larger incidents: https://advisera.com/27001academy/01academy/emy/ademy/my/documentation/examples-of-disruptive-incident-scenarios/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 28, 2016

Jul 28, 2016