Residual risks
Assign topic to the user
Question 1) Is this vision of a "second" residual risk correct?
Answer: I think there is a misunderstanding here. When you apply a policy over an "inherent risk" you are already treating a risk (first you would have to evaluate the inherent risk against the acceptance criteria - the risk appetite). If this first residual risk after applying this control is still over risk appetite you have two options: accept the residual risk as it is (because applying more controls will not be worthy), or apply additional controls to further decrease the risk (then you would have the "second", "third" residual risk, and so on).
Considering this, before applying any control you have to evaluate the inherent risk first.
This article can provide you further information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Question 2: Can I use the same controls assessment policy for estimating "second" residual risk?
Answer: The methodology you use to assess the inherent risk can also be used to assess the risk after the control application.
Comment as guest or Sign in
Jun 28, 2019