Risk Treatment Advice
Hello,
We are a small IT co. currently at Risk Treatment stage. IT manager has now become engaged in more detail and suggesting that we accept all suggested controls automatically generated for each risk. Understandably, his thinking is that it is safer to be comprehensive and many controls will be selected in other risks anyway. I think that there is a danger here that explaining any given control applied to a risk might look like 'box ticking' if the control is not really applicable/relevant to the particular risk.
Example; one risk/threat pair 'Rules for mobile devices not defined/theft, vandalism, or sabotage' offers 32 controls.If we have to explain/justify each of these controls in SoA that seems a lot of work and some justifications may be thin? This is just 1 of 114 risks he has selected for application of controls, so we may be creating a huge mountain to climb?
Any advice/guidance on this appreciated.
Assign topic to the user
First, it is important to note that Conformio follows the logic of the ISO 27100 standard: based on the results of risk assessment, it shows for each risk deemed unacceptable by the organization only the controls that can decrease the risk, i.e., controls that are applicable/relevant to the risk. Conformio will not show a control that is not applicable/relevant to a given risk.
In situations where a lot of controls are suggested, it is not mandatory to apply them all (in most cases, selecting 3 or 4 controls is enough to decrease risk to acceptable levels). The number of controls suggested is to provide you with more flexibility for the implementation.
You can try to choose initially the two or three controls you understand are more relevant for the risk or are more common to all risks you are treating.
Regarding justification for control applicability, Conformio decreases your justification effort by automatically including predefined texts in the Statement of Applicability, that are compliant with the standard's clauses, based on:
- related relevant risks that can be treated by the control (e.g., “to treat risks 001, 057, 068, and 103 from the risk treatment table.”)
- applicable legal requirements that the control fulfills (e.g., “to treat requirements 002, 017, and 23 from the register of requirements.”)
Additionally, you can edit the justification to a text you understand is more proper or add control as applicable by defining it as required by management decisions.
Comment as guest or Sign in
Sep 21, 2023