Assign topic to the user
First lets separate the moment for the treatment choice decision from the moment for its implementation.
The decision to mitigate/avoid a risk should be made after the risk evaluation, considering the criteria you defined in your risk assessment methodology.
Regarding when and how to implement the mitigation/avoidance for an unacceptable risk, you should consider the results of the BIA to decide.
In the Business continuity strategy (or in the Implementation plan which will be an appendix to the Strategy) you should define when an how the mitigation/avoidance will be made - the higher the risk, the sooner you should try to mitigate it.
This article will provide you further explanation about risk assessment and BIA:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
This material will also help you regarding risk assessment and BIA:
- Book Becoming Resilient: The Definitiv e Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
Comment as guest or Sign in
Apr 28, 2018