Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:
1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?
2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21
The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.
Thanks
Assign topic to the user
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now 
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
ISO 27001 RISK ASSESSMENT AND TREATMENT REPORT
Document the results of the risk management process.
Get it now
Thank you for your question.
We answered it through Experta - you can find the answer here:
Comment as guest or Sign in
Dec 06, 2023