We have finished Risk Assessment, and we do not have any risk that needs treatment. We are a TL9000 certified organization for years, and may be because of that we have well defined processes in place for all identified risks for our identified assets.
The question I have is, do we have to have some risks that requires treatment? Please advise how we should proceed?
Answer:
From my point of view, it is very rare that your organization does not have any risk that needs treatment, so maybe can be interesting to review all risks identified, taking into account the level of aceptable risk (review also threats/vulnerabilities identified for each asset). If after this, there are no risks above the acceptable level, effectively the treatment is not needed, but again, it is very rare an ISMS without risks above the level of acceptable risk (some companies the first time set a low acceptable level, on this way, generally they treat all risks, because all are above the acceptable level)
This article about the acceptable level of risk can be interesting for you Risk appetite and its influence over ISO 27001 implementation : https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
Remember also that there are basically 4 risk treatment options: apply controls, transfer the risk, avoid the risk and accept it. This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Jan 13, 2016