Treatment and management of risks

Hello, I have the following questions in reference to the treatment and management of risks: can you help me with the answer? Thanks in advance!!

1. In the same asset can I have already applied an existing control or security measures and at the same time, can I decide to apply a new control?

Asset: serverVery high-risk levelExisting security measures: Currently there is a redundant device and in case of failure, it would be operational, the safety of the data center where the equipment is located needs to be improved.To apply: This is where we should apply the DOMAIN or the control / controls?

You can apply as many controls to an asset as you understand is needed, and worthy,  to decrease related risks to an acceptable level. However, considering your stated scenario, it is not clear if you intend to apply new controls to the server, or to the datacenter (which would be another asset).

For further information, please read:- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Exactly taking the same example as in the previous question, the domain applied could be A9, but only apply control A.92. That is, to what extent should I specify if I apply the domain or control or controls necessary for each asset?

The controls to be applied will depend on the results of risk assessment (the unacceptable risks related to the asset will give you an orientation on which controls to apply), and legal requirements (e.g., laws, regulations and contracts) (a specific clause on one of them may require a specific control to be applied).

3. The security measures that the company already has applied in the critical assets, must be specified exactly in reference to control or can they be detailed in the document, without relating it to a specific domain or control?

Controls already implemented before the standard implementation must be specified in the results of Risk Assessment, because they help explain the risk value for assets they are related to and in the Statement of Applicability, because they are applied in your ISMS scope.

For further information, please read:- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

4. We have selected only assets with high and very high risk. These assets may have:

Security measures applied and need to be increased with new controlsSecurity measures applied and NOT need new controls, is this correct?Having no measure to reduce the risk and requires controls.

It is right?

All scenarios are valid for ISO 27001:- You can have security measures applied and need to add new controls to lower risks to acceptable levels.- You can have security measures applied and no need to add new controls, either because the risks are on acceptable levels, or it is not worthy not to add new controls (the cost would be greater than if the risk occurred).- You can have assets with no unacceptable risks related to them, but you still have to implement controls because some legal requirement (e.g., laws, regulation, or contract) demands the implementation of such controls.

For further information, please read:- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

5. The assets with resulting risk: low and medium, is accepted by the organization. What to do with them? Taking into the account that we will only treat the high and very high risks and apply controls to these assets, does the rest of the assets disappear from the treatment and management? This is a risk that is assumed but no measures are applied to reduce it or is it necessary to apply and detail the measures for all assets, whatever the resulting level of risk?

Please note that in the Risk Assessment and Treatment Methodology approach used in the toolkit you bought, the risks considered accepted as a result of the risk assessment phase won't be transferred to the risk treatment, but they will continue to be managed (i.e., during risk review they would be reassessed in the risk assessment phase).

Risks considered accepted won't need any further treatment. You have to apply and detail controls only to risks considered unacceptable.

6. Of the 4 defined ways to deal with risk, you would only apply controls in the option to apply controls, in the other 3 eligible options, no controls are applied, is that correct?

Example, asset: fire in the CPD / high risk

There are safety measures for fire detection but not for fire extinguishing. In case of fire, the information is in the cloud and would not be affected….

Could we choose to transfer the risk to the insurance company because, in case of fire, they assume the cost of the operation? It is right?)

Implementation of controls are required when you decide to mitigate or transfer risks. In case of risk transfer (which is a valid option in your scenario) you either implement control by buying insurance, or by defining security clauses for a third-party that will handle the risk in your behalf (e.g., your cloud provider). But please note that on risk transfer your organization is still accountable for the impacts in case risks occur.

For further information, please read:- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/