Expert Advice Community

Guest

Treatment and management of risks

  Quote
Guest
Guest user Created:   Oct 01, 2019 Last commented:   Oct 01, 2019

Treatment and management of risks

Hola, tengo las siguientes preguntas en referencia al tratamiento y gestion de riesgos: me podeis ayudar con la respuesta? Gracias anticipadas!! Pregunta 1. En un mismo activo puedo tener ya aplicado un control o medidas de seguridad existentes y al mismo tiempo,  podre decidir aplicar un nuevo control? Activo: servidor Nivelo de riesgo muy alto Medidas de seguridad existentes: Actualmente ya existe un equipo redundante y en caso de averia, entraría en funcionamiento, falta mejorar la seguridad del CPD donde se ubica el equipo. A aplicar: Aquí es donde debemos aplicar el DOMINIO o el control/ controles? Pregunta 2. Exactamente tomando el mismo ejemplo que en la pregunta anterior, el dominio aplicar podría ser A9, pero únicamente aplicar el control A.92. Es decir, hasta que punto debo concretar si aplico el dominio o el control o los controles necesarios para cada activo?> Pregunta 3. Las medidas de seguridad que la empresa ya tiene aplicadas en los activos críticos, deben especificarse exactamente en referencia a un control o pueden detallarse en el documento, sin relacionarlo con un dominio o control especifico? Pregunta 4. Hemos seleccionado únicamente los activos con riesgo alto y muy alto. Estos activos pueden tener: Medidas de seguridad aplicadas y necesitar aumentarlas con nuevos controles Medidas de seguridad aplicadas y NO necesitar nuevos controles ¿es correcto este? No tener ninguna medida para reducir el riesgo y requiere aplicación de controles. Es correcto?<p> Pregunta 5. Los activos con riesgo resultante: bajo y medio, es aceptado por la organización. Que hay que hacer con ellos? Teniendo en cuenta que únicamente trataremos los riesgos alto y muy alto y aplicaremos controles a estos activos, el resto de los activos, desaparece del tratamiento y gestion? Se trata de un riesgo que se asume pero no se aplican medidas para reducirlo o es necesario aplicar y detallar las medidas para todos los activos, sea cual sea el nivel de riesgo resultante? Pregunta 6. De las 4 maneras definidas para tratar el riesgo, solo aplicaría controles en la opción de aplicar controles, en las otras 3 opciones elegibles, no se aplican controles, es correcto? Ejemplo, activo: fuego en el CPD/ riesgo alto Existen medidas de seguridad para detección de incendios pero no para extinción de incendios. En caso de fuego, la información esta en la nube y no se veria afectada…. Podriamos seleccionar transferir el riesgo a la compañía de seguros por que en caso de fuego, asumen el coste de la operativa? Es correcto?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 01, 2019

Hello, I have the following questions in reference to the treatment and management of risks: can you help me with the answer? Thanks in advance!!

1. In the same asset can I have already applied an existing control or security measures and at the same time, can I decide to apply a new control?

Asset: serverVery high-risk levelExisting security measures: Currently there is a redundant device and in case of failure, it would be operational, the safety of the data center where the equipment is located needs to be improved.To apply: This is where we should apply the DOMAIN or the control / controls?

You can apply as many controls to an asset as you understand is needed, and worthy,  to decrease related risks to an acceptable level. However, considering your stated scenario, it is not clear if you intend to apply new controls to the server, or to the datacenter (which would be another asset).

For further information, please read:- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Exactly taking the same example as in the previous question, the domain applied could be A9, but only apply control A.92. That is, to what extent should I specify if I apply the domain or control or controls necessary for each asset?

The controls to be applied will depend on the results of risk assessment (the unacceptable risks related to the asset will give you an orientation on which controls to apply), and legal requirements (e.g., laws, regulations and contracts) (a specific clause on one of them may require a specific control to be applied).

3. The security measures that the company already has applied in the critical assets, must be specified exactly in reference to control or can they be detailed in the document, without relating it to a specific domain or control?

Controls already implemented before the standard implementation must be specified in the results of Risk Assessment, because they help explain the risk value for assets they are related to and in the Statement of Applicability, because they are applied in your ISMS scope.

For further information, please read:- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

4. We have selected only assets with high and very high risk. These assets may have:

Security measures applied and need to be increased with new controlsSecurity measures applied and NOT need new controls, is this correct?Having no measure to reduce the risk and requires controls.

It is right?

All scenarios are valid for ISO 27001:- You can have security measures applied and need to add new controls to lower risks to acceptable levels.- You can have security measures applied and no need to add new controls, either because the risks are on acceptable levels, or it is not worthy not to add new controls (the cost would be greater than if the risk occurred).- You can have assets with no unacceptable risks related to them, but you still have to implement controls because some legal requirement (e.g., laws, regulation, or contract) demands the implementation of such controls.

For further information, please read:- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

5. The assets with resulting risk: low and medium, is accepted by the organization. What to do with them? Taking into the account that we will only treat the high and very high risks and apply controls to these assets, does the rest of the assets disappear from the treatment and management? This is a risk that is assumed but no measures are applied to reduce it or is it necessary to apply and detail the measures for all assets, whatever the resulting level of risk?

Please note that in the Risk Assessment and Treatment Methodology approach used in the toolkit you bought, the risks considered accepted as a result of the risk assessment phase won't be transferred to the risk treatment, but they will continue to be managed (i.e., during risk review they would be reassessed in the risk assessment phase).

Risks considered accepted won't need any further treatment. You have to apply and detail controls only to risks considered unacceptable.

6. Of the 4 defined ways to deal with risk, you would only apply controls in the option to apply controls, in the other 3 eligible options, no controls are applied, is that correct?

Example, asset: fire in the CPD / high risk

There are safety measures for fire detection but not for fire extinguishing. In case of fire, the information is in the cloud and would not be affected….

Could we choose to transfer the risk to the insurance company because, in case of fire, they assume the cost of the operation? It is right?)

Implementation of controls are required when you decide to mitigate or transfer risks. In case of risk transfer (which is a valid option in your scenario) you either implement control by buying insurance, or by defining security clauses for a third-party that will handle the risk in your behalf (e.g., your cloud provider). But please note that on risk transfer your organization is still accountable for the impacts in case risks occur.

For further information, please read:- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 01, 2019

Oct 01, 2019

Suggested Topics