Assign topic to the user
Answer: The evaluation of residual risks is the same as for initial assessment of the risks - you need to evaluate the impact and the likelihood, taking into account the effect of actions or controls that you implemented, using the same methodology as for the initial risk assessment. See the articles below that will explain you how to perform this evaluation.
This article will provide you further explanation about residual risks:
- Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2 - I want to make managing based on risks really add value to the company and not sure how to turn it around.
Answer: the best way to demonstrate risk management value is by using performance indicators that are related to business functions. For example, if your company heavily depends on information systems, the systems uptime is a critical factor, as well as the quantity of transactions processed. If you can demonstrate that your controls can affect these parameters (e.g., a well managed changing process can reduce unplanned downtimes and impact systems uptime, and adopting secure codification practices can optimize transactions performance), you are on the track to show security value.
This article will provide you further explanation about identifying performance indicators:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- Add also here the reference to these two articles: Four key benefits of ISO 27001 implementation, and ISO 27001 control objectives – Why are they important?
These materials will also help you regarding residual risks and performance indicators:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Dec 12, 2016