Limited-time offer
Lock in 2024 prices now for ISO 27001 toolkits, course exams, and software!
This offer is valid until December 19, 2024.

Expert Advice Community

Guest

Risk assessment and treatment process

  Quote
Guest
Guest user Created:   Dec 21, 2016 Last commented:   Dec 21, 2016

Risk assessment and treatment process

Considering this scenario: starting off the process by 1) Identification of assets followed by 2) Assigning vulnerabilities and threats and calculating the risk impact during these two phases we would fill up RISK ASSESSMENT TABLE and RISK TREATMENT TABLE. Then we would complete the RISK ASSESSMENT REPORT and move on to completing SoA. After SoA we will fill the RISK TREATMENT PLAN.
0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Expert
Rhand Leal Dec 21, 2016

1- Are any of these documents filled and maintained in parallel? Or do they have to be filled strictly in sequence i.e. RISK TREATMENT TABLE then SoA then ACCEPTANCE OF RESIDUAL RISK then RISK TREATMENT PLAN etc.

Answer: Considering the risk of rework, you could fill in parallel the risk treatment table and the risk treatment plan. The advantage of filling them in parallel is that when presenting information for acceptance of residual risk, you can have more detailed information about risk treatments and this can facilitate the decision on accepting the residual risks and speed up your process. The disadvantage is that if the residual risk value is not accept ed you will lose all the effort and time you allocated. To minimize this risk I would suggest you to ask risk owners what information they would need to make their decision regarding residual risk, and when elaborating the risk treatment plan you start only with a general overview of the solution, focusing on what is to be delivered instead of what is to be done.

This material can provide you information on how to prepare an general overview of a risk treatment plan:

- ISO 27001 project management: Implementing complex security controls using Work Breakdown Structure (WBS) https://advisera.com/27001academy/blog/2015/10/19/iso-27001-project-management-implementing-complex-security-controls-using-work-breakdown-structure-wbs/

2 - How can we comment upon “after treatment figures of likelihood and severity of risk” in RISK TREATMENT TABLE without ascertaining the method of control implementation as per SoA and without creating a RISK TREATMENT PLAN in parallel to assign cost and resources?

Answer: These values you set in the after treatment columns are what you expect to achieve after controls implementation. They will just help you define the details of your implementation plan (e.g., resources to be allocated, technologies to be adopted, etc.). After controls implementation, with data from performance monitoring and measurement, you can verify if these values were achieved or if your implementation needs adjustments.

3- Can a single example case be shared on which these complete set of documents were filled from start till end?

Answer: Sure, if you watch the video tutorials that came with your toolkits, you will see for each of the documents (e.g. for Risk treatment table, for Risk treatment plan) how to fill out all the data.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 21, 2016

Dec 21, 2016