ISO 27001 Clause 6.1.3 Information security risk treatment

-

Information security risk treatment



Required activity

The organization defines and applies an information security risk treatment process.

 Implementation Guideline

Information security risk treatment is that the overall process of choosing risk treatment options, determining appropriate controls to implement such options, formulating a risk treatment plan and obtaining approval of the Risk treatment plan by the Risk owner(s).All steps of the knowledge security risk treatment process also because the results of its application are retained by the organization as documented information.

Information security risk treatment options

Risk treatment options are:
  1. Avoiding the Risk by deciding to not start or continue with the activity that provides rise to the Risk or by removing the Risk source (e.g. closing an e-commerce portal);
  2. Taking additional risk or increasing risk so as to pursue a business opportunity (e.g. opening an e-commerce portal);
  3. Modifying the Risk by changing the likelihood (e.g. reducing vulnerabilities) or the results (e.g. diversifying assets) or both;
  4. Sharing the Risk with other parties by insurance, sub-contracting or risk financing; and
  5. Retaining the Risk supported the Risk acceptance criteria or by informed decision (e.g. maintaining the prevailing e-commerce portal because it is).
Each individual risk should be treated in line with information security objectives by one or more of those options, so as to satisfy risk acceptance criteria.
 Determining necessary controls
Special attention should tend to the determination of the required information security controls. Any control should be determined supported information security risks previously assessed. If a corporation features a poor information security risk assessment, it’s a poor foundation for its choice of data security controls.
Appropriate control determination ensures:
  1. All necessary controls are included, and no unnecessary controls are chosen; and
  2. The planning of necessary controls satisfies an appropriate breadth and depth.
As a consequence of a poor choice of controls, the proposed information security risk treatment can be:
  1. Ineffective;
  2. Inefficient and thus inappropriately expensive.
To ensure that information security risk treatment is effective and efficient, it’s therefore important to be ready to demonstrate the connection from the required controls back to the results of the Risk assessment and risk treatment processes. It is often necessary to use multiple controls to realize the specified treatment of the knowledge security risk for instance , if the choice to vary the results of a specific event is chosen, it may require controls to effect prompt detection of the event also as controls to reply to and recover from the event.
When determining controls, the organization should also take under consideration controls needed for services from outside suppliers of e.g. applications, processes and functions. Typically, these controls are mandated by entering information security requirements within the agreements with these suppliers, including ways to urge information close to which extent these requirements are met (e.g. right of audit). There could also be situations where the organization wishes to work out and describe detailed controls as being a part of its own ISMS albeit the controls are administered by outside suppliers. Independently of the approach taken, the organization always should consider controls needed at their suppliers when determining controls for its ISMS.
------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

Post a Comment

Popular posts from this blog

ISO 27001 Annex : A.5 Information Security Policies

-
Image
5. 1  Management direction for information security ISO 27001 Annex : A.5 Information Security Policies, Its objective is to provide management guidance and  information security  assistance in accordance with business requirements and relevant laws and regulations. 5.1.1 Policies for Information Security Control-   A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties. Implementation Guidance-  At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals. Information security policies should meet criteria that have been created by: Business strategy; Regulations, legislation and contracts; The present and projected  information security threat  environment Related Product :   ISO 27001 Lead Auditor Training And Certification ISMS The informa
Read more

10 Secrets You Will Never Know About Cyber Security And Its Important

-
Image
Know about Cyber Security Whether you’re a techie or not, there’s a good chance that your life is very reliant on the net and its wonders. Your social media accounts are likely humming, and you recognize your way round the IOT devices you employ . All of those devices connect you to the cyber world in a method or another. Here are 12 things to understand about  cyber security . And once you are sharing such a lot of your data online daily, you may also care about your cyber security.  If you’ve always thought cyber security are a few things only big companies got to care about change your mind, now. Cyber security is as critical on a private level, because it is on a company’s level. Besides, there’s hardly any job or profession, that’s not supported technology. With  jobs or a career in mind , you need to understand what threatens your security online and what you’ll be able to do to stay your data secure. 1  You’re a target to hackers Don’t ever say “It won’t happen t
Read more

Types of Vulnerability Assessment

-
Image
Given below are the different types of vulnerability assessments:   Active Assessment Active assessments are a type of vulnerability assessment that uses network scanners to scan the network to identify the hosts, services, and vulnerabilities present in that network. Active network scanners have the capability to reduce the intrusiveness of the checks they perform.   Passive Assessment Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are a recently using the network. External Assessment External assessment assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks
Read more