Guest post Created: Jan 13, 2016 Last commented: Jan 13, 2016

controls assessment

Hi friends, I have a question in the risk assessment phase of the ISMS: If you have some controls already implemented to mitigate a risk, How to measure the contribution total of each them to the residual risk?&quest; Which is your recommendation? Thanks, Best regards,

0 0

Assign topic to the user

Select user

Guest

AntonioS Jan 13, 2016

Generally there are security controls implemented before the risk assessment, so during the risk assessment you need to evaluate risks considering that these controls are implemented.
The contribution of existing controls implemented is measured through decreased likelihood, and sometimes through decreased impact.
If you have numerous controls that are implemented, you have to take into account their aggregate effect on impact and likelihood of risk - this means you have to list all the controls that are implemented, and take all of them into consideration when assessing the impact and likelihood.
This article about the residual risk can be interesting for you "Why is residual risk so important?" : https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 13, 2016

Expert Advice Community