Expert Advice Community

Guest

Risk Assessment

  Quote
Guest
Guest user Created:   Nov 26, 2019 Last commented:   Nov 27, 2019

Risk Assessment

I'm struggling to get my head around one concept on Risk Assessment so wonder if you could help.

I've purchased your Secure & Simple book plus read other valuable information on advisera.com (all really helpful thanks), however, still struggling to find a clear answer on this.

When performing the initial assessment of the risks to an asset to provide the inherent risk level, should this take into account the existing mitigation controls in place, or should all current controls be omitted?

My thinking is an assets threats and vulnerabilities should be determined under current controls conditions, e.g. asset 'a' is an online system containing personal information, the threat could be unauthorized access to PI and the vulnerability could be using shared authorization credentials - but if we have a policy in place that states shared credentials/passwords must not be used, plus User training enforces this, should this be taken into account when scoring the likelihood?

We have a mature security model in place so coming at the risk assessment with a lot of controls already in place. Our risk assessment should be to identify and prioritize those assets with the highest risks which require mitigation.

Might have answered my own question in that last paragraph!?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 26, 2019

During risk assessment, not only the initial one, you have to consider already implemented controls to define the level of risk. ISO 27001 does not require organizations to identify "inherent" risks, i.e., risks without the effect of controls on them, only "risks". This way your assessment will be easier and quicker to perform.

This material will provide you further explanation about risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

Quote
0 0
Guest
Guest user Nov 27, 2019

Many thanks for the quick reply, really helpful.
So to confirm for an ISO27001 compliant risk assessment we can jump straight to calculating the residual risk, I.e. the risks considering existing controls in place.  Inherent risk calculation is not required (and by definition the risk score of these are calculated not taking existing controls into account?)

Quote
0 0
Expert
Rhand Leal Nov 27, 2019

Please note that the steps to define residual risks are:
- Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
- Risk analysis (i.e., the definition of risk value, considering any already implemented controls)
- Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
- Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)

In case you evaluate that no additional treatment is required (i.e., the risk is accepted), then the identified risk is the residual risk.

In case you evaluate that additional treatment is required (e.g., avoid, mitigate, or transfer the risk), then, in this case, you have to define the new value of the risk, considering the new applicable controls and this one will be the residual risk.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 26, 2019

Nov 27, 2019