Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Risk treatment

  Quote
Guest
Guest user Created:   Apr 03, 2020 Last commented:   Apr 07, 2020

Risk treatment

Regarding the theft of a laptop form a car, while the policy can prohibit leaving a laptop in a car, thus preventing probability of theft, how does a backup or encryption lower the probability of theft? It merely lowers the impact when the theft occurs, but not the probability of theft. The thief does not know the data is backed up or encrypted, and usually doesn´t care because he most often is after the hardware for resale, not the data.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 03, 2020

In fact, backup or encryption has no effect on the probability of theft.

Please note that not all security controls are intended to affect likelihood and impact at the same time. For example, backup and encryption are intended to affect impact, as you identified, while an antivirus is intended to affect likelihood (once a malware circumvents the antivirus, it fully impacts his target).

That's why people work on the concept of security in-depth, where multiple controls are used to increase security. In your example, you can add some sort of physical lock to minimize the probability of the laptop to be removed from its place.

Quote
0 0
Guest
Peter Apr 03, 2020

Agreed, but this is not refelcted in the example shown in the video, which suggests all controls have an effect on impact and probability.

Quote
0 0
Expert
Rhand Leal Apr 07, 2020

I'm assuming you are referring to the "How to implement risk treatment video".

Considering that, the example shown in the video starts approximately in minute 2, and if you note it is said, approximately at minute 2:50, that mentioned controls (physical, technical, and organizational) have an impact on risk, but it does not mention impact and probability at this moment, so it is not possible to conclude that mentioned controls have affect on both elements.

If you understand you need  more clarification, you can schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/

 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 03, 2020

Apr 06, 2020

Suggested Topics

Gerry Created:   Sep 18, 2023 ISO 27001 & 22301
Replies: 2
0 0

Risk Treatment Advice

Guest user Created:   Nov 27, 2022 ISO 27001 & 22301
Replies: 1
0 0

Risk Treatment and RTP