Guest
Taking into account existing controls in the risk assessment
We are on a good way on doing the risk assessment at the moment. There are a lot of controls that are already on place. We have assessed the risks as if we did not have to existing control and then again with the control. Question is, should we add the existing controls already to the risk assessment table or only start thinking those at the risk treatment table?
Assign topic to the user
Answer: During the risk assessment you should take into account the existing controls, because they decrease the probability of your risk.
If we take the existing controls into account only in risk treatment table, there will be a lot of risks that are actually already on the acceptable level, since the controls are already in use.
Answer: This is true, but in your Statement of Applicability you will define those controls as applicable because you're already using them.
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016