ISO 27001 Clause 6.1.3 Information security risk treatment
Information security risk treatment
Required activity
The organization defines and applies an information security risk treatment process.
Implementation Guideline
Information security risk treatment is that the overall process of choosing risk treatment options, determining appropriate controls to implement such options, formulating a risk treatment plan and obtaining approval of the Risk treatment plan by the Risk owner(s).All steps of the knowledge security risk treatment process also because the results of its application are retained by the organization as documented information.
Information security risk treatment options
Risk treatment options are:
- Avoiding the Risk by deciding to not start or continue with the activity that provides rise to the Risk or by removing the Risk source (e.g. closing an e-commerce portal);
- Taking additional risk or increasing risk so as to pursue a business opportunity (e.g. opening an e-commerce portal);
- Modifying the Risk by changing the likelihood (e.g. reducing vulnerabilities) or the results (e.g. diversifying assets) or both;
- Sharing the Risk with other parties by insurance, sub-contracting or risk financing; and
- Retaining the Risk supported the Risk acceptance criteria or by informed decision (e.g. maintaining the prevailing e-commerce portal because it is).
Each individual risk should be treated in line with information security objectives by one or more of those options, so as to satisfy risk acceptance criteria.
Determining necessary controls
Special attention should tend to the determination of the required information security controls. Any control should be determined supported information security risks previously assessed. If a corporation features a poor information security risk assessment, it’s a poor foundation for its choice of data security controls.
Appropriate control determination ensures:
- All necessary controls are included, and no unnecessary controls are chosen; and
- The planning of necessary controls satisfies an appropriate breadth and depth.
As a consequence of a poor choice of controls, the proposed information security risk treatment can be:
- Ineffective;
- Inefficient and thus inappropriately expensive.
To ensure that information security risk treatment is effective and efficient, it’s therefore important to be ready to demonstrate the connection from the required controls back to the results of the Risk assessment and risk treatment processes. It is often necessary to use multiple controls to realize the specified treatment of the knowledge security risk for instance , if the choice to vary the results of a specific event is chosen, it may require controls to effect prompt detection of the event also as controls to reply to and recover from the event.
When determining controls, the organization should also take under consideration controls needed for services from outside suppliers of e.g. applications, processes and functions. Typically, these controls are mandated by entering information security requirements within the agreements with these suppliers, including ways to urge information close to which extent these requirements are met (e.g. right of audit). There could also be situations where the organization wishes to work out and describe detailed controls as being a part of its own ISMS albeit the controls are administered by outside suppliers. Independently of the approach taken, the organization always should consider controls needed at their suppliers when determining controls for its ISMS.
Click here for continue:- https://www.info-savvy.com/iso-27001-6-1-3-information-security-risk-treatment/
------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Comments
Post a Comment