Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Risk Treatment Advice

  Quote
Guest
Gerry Created:   Sep 18, 2023 Last commented:   Sep 21, 2023

Risk Treatment Advice

Hello,

We are a small IT co. currently at Risk Treatment stage. IT manager has now become engaged in more detail and suggesting that we accept all suggested controls automatically generated for each risk. Understandably, his thinking is that it is safer to be comprehensive and many controls will be selected in other risks anyway. I think that there is a danger here that explaining any given control applied to a risk might look like 'box ticking' if the control is not really applicable/relevant to the particular risk.
Example; one risk/threat pair  'Rules for mobile devices not defined/theft, vandalism, or sabotage' offers 32 controls.If we have to explain/justify each of these controls in SoA that seems a lot of work and some justifications may be thin? This is just 1 of 114 risks he has selected for application of controls, so we may be creating a huge mountain to climb?

Any advice/guidance on this appreciated. 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 20, 2023

First, it is important to note that Conformio follows the logic of the ISO 27100 standard: based on the results of risk assessment, it shows for each risk deemed unacceptable by the organization only the controls that can decrease the risk, i.e., controls that are applicable/relevant to the risk. Conformio will not show a control that is not applicable/relevant to a given risk.

In situations where a lot of controls are suggested, it is not mandatory to apply them all (in most cases, selecting 3 or 4 controls is enough to decrease risk to acceptable levels). The number of controls suggested is to provide you with more flexibility for the implementation.

You can try to choose initially the two or three controls you understand are more relevant for the risk or are more common to all risks you are treating.  

Regarding justification for control applicability, Conformio decreases your justification effort by automatically including predefined texts in the Statement of Applicability, that are compliant with the standard's clauses, based on:

  • related relevant risks that can be treated by the control (e.g., “to treat risks 001, 057, 068, and 103 from the risk treatment table.”)
  • applicable legal requirements that the control fulfills (e.g., “to treat requirements 002, 017, and 23 from the register of requirements.”)

Additionally, you can edit the justification to a text you understand is more proper or add control as applicable by defining it as required by management decisions.

Quote
0 0
Guest
Gerry Sep 21, 2023

Hi Rhand,

Many thanks for the comprehensive response.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 18, 2023

Sep 21, 2023

Suggested Topics

Fozzyella Created:   Oct 29, 2020 ISO 27001 & 22301
Replies: 1
0 0

Assets and Risks

Guest user Created:   Jun 15, 2020 ISO 27001 & 22301
Replies: 1
0 0

Risk Treatment

Guest user Created:   Jan 01, 2019 ISO 27001 & 22301
Replies: 1
0 0

Risk management