Assign topic to the user
Answer: No, the control does not have to be in place for the establishment of residual risk. What happens in this situation is that you have to estimate the residual risk, i.e., the expected reduction in the risk level after the control is implemented. This expectation will be used to evaluate the control's measurement results in order to decide if the control is effective (in this case the expected residual risk will become the real residual risk), needs adjustments (to achieve expected residual risk level), or if you have to review the residual risk v alue (to increase or decrease its value).
Regarding how you define the expected residual risk, you can estimate it through historical data, comparison with market trends, through staff experience or expert knowledge.
This article will provide you further explanation about residual risk:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding residual risk:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Sep 12, 2017