Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Risk Register section

  Quote
Guest
Guest user Created:   Mar 31, 2022 Last commented:   Mar 31, 2022

Risk Register section

Good day. In the Conformio Platform, in section Risk Register, their are recommendations as to the number of Assets, Vulnerabilities, Threats to be selected. In this evaluation, is the selection to be general and/or theoretical, or rather based solely where weaknesses may factually exist? Perhaps my enquiry is not clear; please consider, for exemplification: 1) An asset: Desktop computer/laptop (for the purpose of this example, both serve); theoretically, a weak password is a vulnerability, as is the lack of/not updated anti-virus software. However, if there are already policies in place regarding strong password construction and the update of anti-virus software is monitored and secured, then this vulnerability should not be selected, because controls are already in place? Or should they be nonetheless be selected, to document that they were accounted for but are already treated? 2) The asset: Office rooms/facilities. In theory, the main vulnerability for such an asset would be lack of access controls to facilities, rooms or offices. In our company, access controls are in place. Therefore, should such a vulnerability not be selected; or rather, should it be selected but it's likelihood be evaluated as low due to the controls already in place?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 31, 2022

In risk assessment, you need to identify risks that exist in your context, and you consider relevant. The fact that some of them may already have controls in place is considered when you analyze them to define likelihood and impact (in most cases this will mean that they will have low risk and won’t be part of the risk treatment step).

Considering that, both of your examples would be included in the risk assessment, so you can document either the risks or the controls already implemented to treat them.

For further information, see:
- 6 main steps in risk management https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Mar 31, 2022

Mar 31, 2022

Suggested Topics

Guest user Created:   Oct 21, 2022 ISO 27001 & 22301
Replies: 1
0 0

Gap analysis results

Guest user Created:   Sep 28, 2022 ISO 27001 & 22301
Replies: 1
0 0

IT Security Policy too narrow