SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Guest

Risk assessment: multiple vulnerabilities for the same threat

  Quote
Guest
Guest user Created:   Sep 05, 2023 Last commented:   Sep 07, 2023

Risk assessment: multiple vulnerabilities for the same threat

On your tutorial vimeo page in the "06 How to implement risk treatment" video, you showed an example (see screenshot attached) in which you listed 2 separate lines for: the same asset, with the same threat, but with 2 different vulnerabilities.

Would it not make more sense to list this under 1 line?
That way there is 1 asset, 1 threat, 2 vulnerabilities and 2 controls.

I ask this because for some of our threats, we have 5-6 vulnerabilities and 5-6 controls to mitigate them. should we split this to different lines or is it okay to have multiple vulnerabilities, with multiple controls, and multiple assets - within 1 line?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 05, 2023

Please note that in the Risk Assessment Table and in the Risk Treatment Table, each line corresponds to a single risk (i.e., a single set of asset-treat-vulnerability). If you merge all information in a single line, it will be more difficult for someone to understand which control is being applied to each risk. Additionally, the merged information will make it more complicated for you to apply the Excel filter to analyze, for example, which control is being more applied, which threat/vulnerability is more frequent, etc.

In short, merging information may reduce the number of lines in your tables, but it will make your overall analysis more difficult.

For further information, check out our Risk assessment and our Risk treatment.

Quote
0 0
Guest
Guy Sep 05, 2023

What about the risks where I have multiple controls for mitigation? do you choose one control and ignore the others? 

Quote
0 0
Expert
Rhand Leal Sep 07, 2023

In this case, you include one row for each control used to treat the same risk. For example, if you want to use 3 controls to treat the same risk, then you will have three rows with the same risk and one for each control.

This way, you will have a better notion of how each control impacts the risk (some controls may impact only likelihood or only impact), and you can evaluate if all controls are really necessary (i.e. if you are not including excessive controls).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 05, 2023

Sep 07, 2023

Suggested Topics

Guest user Created:   Mar 12, 2018 ISO 27001 & 22301
Replies: 1
0 0

Risk management

Tanya S Created:   Dec 01, 2023 ISO 27001 & 22301
Replies: 1
0 0

Residual Risk Calculations