I have an unavoidably large scope but limited resources. My risk treatment plan has an overwhelming number of items that need to be treated. I have already prioritized treatment based on risk level but I dont have sufficient resources to treat all of them in a timely manner. How should I proceed? For example: Is it okay to simply accept some of the risks in the treatment plan with a view to reducing or transferring them at a later date?
Answer:
If you cannot reduce risks, other options are: accept, avoid or transfer them. It is related with the Risk treatment process. So, now you need to select an option for each risk (for example accept those that you cannot reduce), and when you perform again the risk assessment (generally 1 per year) you need to select again an option (can be the same, for example accept them, or can be different, for example reduce or transfer them).
The best approach for me would be, considering your case: now accept risks, and in the next cycle of the risk assessment reduce them (obviously if you can, i f not, you can again accept, or avoid or transfer them).
This article can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
Comment as guest or Sign in
Jan 13, 2016