Risk treatment
Regarding the theft of a laptop form a car, while the policy can prohibit leaving a laptop in a car, thus preventing probability of theft, how does a backup or encryption lower the probability of theft? It merely lowers the impact when the theft occurs, but not the probability of theft. The thief does not know the data is backed up or encrypted, and usually doesn´t care because he most often is after the hardware for resale, not the data.
Assign topic to the user
In fact, backup or encryption has no effect on the probability of theft.
Please note that not all security controls are intended to affect likelihood and impact at the same time. For example, backup and encryption are intended to affect impact, as you identified, while an antivirus is intended to affect likelihood (once a malware circumvents the antivirus, it fully impacts his target).
That's why people work on the concept of security in-depth, where multiple controls are used to increase security. In your example, you can add some sort of physical lock to minimize the probability of the laptop to be removed from its place.
Agreed, but this is not refelcted in the example shown in the video, which suggests all controls have an effect on impact and probability.
I'm assuming you are referring to the "How to implement risk treatment video".
Considering that, the example shown in the video starts approximately in minute 2, and if you note it is said, approximately at minute 2:50, that mentioned controls (physical, technical, and organizational) have an impact on risk, but it does not mention impact and probability at this moment, so it is not possible to conclude that mentioned controls have affect on both elements.
If you understand you need more clarification, you can schedule a meeting with one of our experts at this link: https://advisera.com/27001academy/consultation/
Comment as guest or Sign in
Apr 06, 2020