Expert Advice Community

Guest

Risk assessment and treatment plan

  Quote
Guest
Guest user Created:   Feb 29, 2020 Last commented:   Feb 29, 2020

Risk assessment and treatment plan

Having carried out the risk assessment I have a number of risks that are the highest severity but lowest occurrence. Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats. This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you

0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Expert
Rhand Leal Feb 29, 2020

1 - Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats.

Answer: Your understanding is partially correct. While you do need to consider the worst-case scenario for the impact, in most cases any existing controls will reduce the likelihood.

For additional information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

 2 - This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you

Answer: Please note that in the case you mentioned you already have a mitigation implemented (i.e., antivirus in place), and you only have to evaluate if by documenting the antivirus procedures the likelihood will change (clear available procedures reduce risk of antivirus misconfiguration).

Additionally, antivirus is a preventive control, and this kind of control indeed only affects the likelihood of occurrence, not risk consequence.

An example where a control will also reduce the impact is a fire suppression system. It will reduce both the likelihood (it will prevent most of the fires) and the impact (if the fire goes out, it will be put out much sooner), but please note that these cases where a single control affects both likelihood and impact are rare.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Feb 28, 2020

Feb 28, 2020

Suggested Topics

Guest user Created:   Dec 27, 2022 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Question

Guest user Created:   Dec 23, 2021 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment Vs SoA