Questions about risk assessment/treatment.
Assign topic to the user
In other words, we have only one unacceptable risk which needs treatment.
So our risk treatment results are rather thin (I have combined that table with the risk assessment table) and the SoA will have mostly controls which are already in place.
And then the Risk Treatment Plan will have very little to say.
It isnt that we are complacent about information security, but rather that our risks are already mitigated by several controls, which are described in the risk assessment table (although not in terms of the Annex A controls).
Answer: Finding only 30 risks seems to me a bit too little. A company with 7 employees probably has ca 50 assets (people, hardware, software, databases, documents electronic and paper, infrastructure, etc.), each asset could have ca 5 threats and each threat ca 2 vulnerabilities. This easily makes ca 500 risks (assets x threats x vulnerabilities) for a small company.
When using this methodology of identifying assets, threats and vulnerabilities, most companies I've worked with realized they were aware of only ca 50% of their risks - which means that only then they could decide which additional controls to implement.
Comment as guest or Sign in
Jan 12, 2016