Risk assessment and treatment plan
Having carried out the risk assessment I have a number of risks that are the highest severity but lowest occurrence. Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats. This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats.
Answer: Your understanding is partially correct. While you do need to consider the worst-case scenario for the impact, in most cases any existing controls will reduce the likelihood.
For additional information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
2 - This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you
Answer: Please note that in the case you mentioned you already have a mitigation implemented (i.e., antivirus in place), and you only have to evaluate if by documenting the antivirus procedures the likelihood will change (clear available procedures reduce risk of antivirus misconfiguration).
Additionally, antivirus is a preventive control, and this kind of control indeed only affects the likelihood of occurrence, not risk consequence.
An example where a control will also reduce the impact is a fire suppression system. It will reduce both the likelihood (it will prevent most of the fires) and the impact (if the fire goes out, it will be put out much sooner), but please note that these cases where a single control affects both likelihood and impact are rare.
Comment as guest or Sign in
Feb 28, 2020