SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Performing risk assessment and risk treatment

  Quote
Guest
Guest user Created:   Dec 12, 2019 Last commented:   Dec 12, 2019

Performing risk assessment and risk treatment

I’m interested in necessary steps regarding risk assessment (and following), should be taken when existing asset is removed from the company.  Ig, it was decided that power generator is no longer needed, and possible power failures will be covered by UPS.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 12, 2019

General steps for risk assessment and treatment are:

  • Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
  • Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
  • Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
  • Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

Considering your scenario, and the approach asset-threat-vulnerability, we would have as an example:
- Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
- Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to normal power supply to be reestablished to value the risk).
- Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
- Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs.

Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.

This material will provide you further explanation about risk assessment and treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment and treatment:
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-processatment-process
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 12, 2019

Dec 12, 2019