1 / 3

Risk treatment according to ISO 27001

ISO 27001 is an Information Security Management System (ISMS) standard. It is one of the globally recognized ISO 27000 family of standards. The ISMS implemented by addressing the risk and opportunities that affect data security and information in the organization systematically.<br><br>

jobinwason
Download Presentation

Risk treatment according to ISO 27001

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk treatment according to ISO 27001:2013 Certification Every people are think risk assessment is that the most difficult a part of implementing ISO 27001 Certification true, risk assessment is perhaps the foremost complex, but risk treatment is certainly the one that's more strategic and more costly. Purpose of risk treatment shows rather simple, to regulate the danger s identified during the danger assessment; in most cases this is able to mean to decrease the risk by reducing the likelihood of an event (e.g., by using nonflammable building materials), and/or to scale back the impact on assets (e.g., by using automatic fire- suppression systems). During the danger treatment the organization should specialise in those risks that aren't acceptable; otherwise, it might be difficult to define priorities and to finance the mitigation of all the identified risks. 4Most common treatment options in 27001:2013certification Once you've got an inventory of unacceptable risks, you've got to travel one by one and choose the way to treat each – usually, these options are applied: Decrease the danger : this feature is that the commonest , and it includes implementation of safeguards (controls) – like fire-suppression systems, etc. Avoid the risk: Stop performing certain task or processes if they incurred such risks that are just too big to mitigate with the other options – e.g., you'll plan to ban the usage of laptops outside of the corporate premises if the danger of unauthorized access to those laptops is just too high (because, e.g., such hacks could halt the entire IT infrastructure you're using). Share the danger : It means you transfer the risk to a different party – e.g., you purchase an policy for your building against fire, and thus you transfer a part of your financial risk to an insurance Organization. Unfortunately, this feature not has any influence on the incident itself, therefore the best strategy is to use this feature along side options 1) and 2). Retain the risk: it's rock bottom desirable option, and it means your organization accepts the danger without doing anything about it. this feature should be used as long as the mitigation cost would be above the damage an event would incur. Before you begin the danger treatment Before starts the danger treatment processing, you ought to remember of the most inputs: these are Risk Management Methodology and unacceptable risks from the

  2. danger assessment; however, a further input should even be the available allow the present year, because fairly often the mitigation would require an investment. When selecting new controls, basically there are three sorts of controls: Defining new rules: rules are documented through plans, policies, procedures, instructions, etc., although you don’t need to document some less complex processes. Implementing new technology in ISO Information Security Management System (ISMS) : For example, backup systems, disaster recovery locations for alternative data centers, etc. Changing the organizational structure: In some cases, you'll got to introduce a replacement job function, or change the responsibilities of an existing position. Deciding which controls to select: Risk treatment may be a step where you normally wouldn’t include a really wide circle of individuals – you'll need to brainstorm on each treatment option with specialists in your company (EAS) who specialise in certain areas. as an example , if the treatment has got to do with Information Security Management System (ISMS) ,you will speak to your IT guys; if it's about new trainings, you'll speak to human resources, etc. of course, the ultimate decision about some new treatment option would require a choice from the acceptable management level – sometimes the EAS are going to be ready to make such decisions, sometimes it'll be your project team, sometimes you'll need to attend the head responsible of a specific field (e.g., head of the legal department if you invite additional clauses within the contracts together with your partners), or perhaps to the chief level for larger investments. If have doubts regarding who can decide what, consult your project sponsor. The process of risk treatment is extremely often documented similarly to the method of risk assessment – through Excel sheets or a tool, and eventually , within the Risk treatment report. Such example of a risk treatment table might look something like this: Asset Threat Vulnerability Treatment option Means of implementation

  3. Server Fire No extinguisher 1) Decrease risk + 2) Share risk Purchase fire extinguisher + buy policy against fire Laptop Access by unauthorized persons Inadequate password 1) Decrease risk Write Password Policy System administrator Leaving the company No replacement 1) Decrease risk Hire second supervisor who will learn everything the primary one does If you select to live residual risks, it should be done along side responsible persons in departments – you've got to point out them which treatment options you've got planned for, and supported this information, and using an equivalent scales, you've got to assess the residual risk for each unacceptable risk identified earlier during risk assessment. So, for instance, if you had identified a consequence of level 4 and likelihood of level 5 during your risk assessment (which would mean risk of 9 by the tactic of addition), your residual risk could also be 5 if you assessed that the consequence would lower to three and likelihood to 2 thanks to , e.g., safeguards you planned to implement. Be creative! When considering these options, and particularly safeguards that involve an investment in technology, please watch out for the subsequent , fairly often the primary concept involves mind are going to be the foremost expensive. So, think hard before you buy some expensive new system. Sometimes alternatives will exist which will be equally effective, but with lower cost. Also, remember that the majority of the risks exist due to human behavior, not due to machines – therefore, it's questionable whether a machine is that the solution to such a drag . In other words, this is often where you would like to urge creative – you would like to work out the way to decrease the risks with minimum investment. it might be the simplest if your budget was unlimited, but that's never getting to happen. And, i need to tell you that unfortunately, your management is true – it's possible to realize an equivalent result with less money – you simply got to be clever enough to return up with an answer. Visit: iso 27001 certification germany

More Related