Guest user Created: Feb 11, 2017 Last commented: Feb 11, 2017

Risk calculation and implemented controls

I am working on a risk assessment and am confused by one thing. When I determine likelihood vs impact, should I determine those based on a total lack of controls or based on the controls we have in place currently?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Feb 11, 2017

Answer: For determining the risk value, you must consider the current situation, i.e., including the influence of the controls currently implemented. If you do not do that you may finish overestimating risks and waste resources to handle an already acceptable risk.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk calculation and implemented controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on deman d] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 11, 2017

Expert Advice Community