SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Questions about risk assessment/treatment.

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Questions about risk assessment/treatment.

We have assessed our information security risks and found around 30 risks (We are a small company of 7 people). And only one of those risks does not currently have controls in place which make it acceptable.
0 0

Assign topic to the user

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

Guest
DejanK Jan 12, 2016

In other words, we have only one unacceptable risk which needs treatment.

So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.

And then the Risk Treatment Plan will have very little to say.

It isn’t that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).

Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.

When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Guest user Created:   May 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit questions

Guest user Created:   May 15, 2022 ISO 27001 & 22301
Replies: 1
0 0

Conformio expert questions