If I was to find security risks and vulnerabilities, what type of methods and security configurations would be appropriate to protect and prevent impact to systems?
According to the results of the Risk Assessment, one or more of the following treatments should be considered:
- Decrease the risk: implementation of controls to reduce probability of occurrence and/or impact of the risk, thus reducing overall risk (e.g., antivirus decreases the probability to get infected by malware, and backup decreases the impact of data loss)
- Avoid the risk: stop performing the activity that causes the risk (e.g., ban BYOD because the risks of unauthorized access to the device are too high)
- Share the risk: transfer the risk to another party (e.g., buy an insurance policy for you house against fire)
- Retain the risk: accept the risk as it is, because you have no other viable alternative to apply.
This article will provide you further explanation about risk treatment:
- 4 mitigation options in risk treatment according to ISO 27001 http:/ /advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
Also, what types of ways can I implement and design ISMS to comply with ISO 27001?