Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Questions about risk assessment/treatment.

We have assessed our information security risks and found around 30 risks (We are a small company of 7 people). And only one of those risks does not currently have controls in place which make it acceptable.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

In other words, we have only one unacceptable risk which needs treatment.

So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.

And then the Risk Treatment Plan will have very little to say.

It isnt that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).

Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.

When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community