Risk assessment and treatment
Assign topic to the user
1 - The question is whether any control stated as applicable in the statement of applicability should have been identified already in the risk assessment step, .e.g is it possible to have lets say contact of authority as applicable in SoA but no mention of it in risk assessment step?
Answer: Yes, you can have this situation. Maybe a risk you haven't though about justifies the control, or there might be some regulatory or contractual requirement that demands you to implement a particular control.
2 - Another question is regarding the risk treatment table. Is it ok to use more than one control as mitigation to specified risk or just a map of one risk one control is more suggested?
Answer: In fact, in most cases, you will have to implement more than one control to mitigate a risk to acceptable levels. According our proposed method, in the Risk treatment table, you will have to create one row for each combination of the specified risk and control applied.
In th e video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.
Comment as guest or Sign in
Feb 21, 2017