Expert Advice Community

Guest

Risk acceptance

  Quote
Guest
Guest user Created:   Feb 21, 2017 Last commented:   Feb 21, 2017

Risk acceptance

Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 21, 2017

Answer: For ISO 27001, there are three possible justifications to not implement a control:

1) there is no relevant risk that justifies the control implementation;

2) the organization decides to accept the risks in all situations which would justify the control implementation; and

3) the organization decides to accept the risks in a case by case basis, i.e. implementing the control in some projects and not in others.

For options 2 and 3, the decision could be based on an evaluation of the impacts of implementing the control (e.g., loss of business opportunities, loss of prod uctivity) versus the potential losses caused by an incident that happens because of the control's absence.

This article will provide you further explanation about risk treatment options:
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

These materials will also help you regarding risk treatment options:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 21, 2017

Feb 21, 2017

Suggested Topics