left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Risk assesment and treatment

  Quote
Guest
cgonzalez Created:   Apr 25, 2018 Last commented:   Apr 28, 2018

Risk assesment and treatment

If risk assesment is carried out before BIA and before business continuity strategy, when are unacceptable risk mitigated? should they be mitigated/avoided right after identification and evaluation or after the BIA, or during the business continuity strategy?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 28, 2018
First lets separate the moment for the treatment choice decision from the moment for its implementation.

The decision to mitigate/avoid a risk should be made after the risk evaluation, considering the criteria you defined in your risk assessment methodology.

Regarding when and how to implement the mitigation/avoidance for an unacceptable risk, you should consider the results of the BIA to decide.

In the Business continuity strategy (or in the Implementation plan which will be an appendix to the Strategy) you should define when an how the mitigation/avoidance will be made - the higher the risk, the sooner you should try to mitigate it.

This article will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis//

This material will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitiv e Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 25, 2018

Apr 28, 2018

Suggested Topics