Focus on Risk Treatment
28th September 2016
An Information Security Risk Treatment Plan is one of the mandatory documentation requirements, called out in Section 8.3 of ISO27001:2013. In plain English, this is a record of all identified risks that need to be attended to, and the steps taken to ensure that the organisation is not subject to increased risk why these risks remain.
A common approach to assessing a specific risk is to identify and evaluate the effectiveness of controls that are already in place to protect an asset from a vulnerability or threat, and to compare this evaluation against the organisation’s risk acceptance threshold. Anything below the line is deemed to be an acceptable risk, but anything higher than the threshold indicates an unacceptable risk that needs further attention promptly. Organisations typically have four distinct options to address such risks:
- Reduce the Risk
The most commonly used approach, the risk can be reduced to within the acceptance threshold by introducing additional controls, or improving the effectiveness of existing controls. This action will improve the risk calculation by either reducing the probability of the specific risk taking place, and/or reducing the impact if it were to take place. All security controls can be implemented with varying degrees of effectiveness, so it may be as simple as identifying how an existing control can be implemented or operated in a more effective manner.
Within InfoSaaS: a risk assessment identified as having one or more unacceptable risks, compared with the risk acceptance threshold defined by the organisation within the solution, can be progressed in several ways. In this example, finalise the current assessment to record the current situation, and select the option to automatically create an identical subsequent assessment which is used as a basis for recording changes to controls in an attempt to treat the risk and make it acceptable.
- Transfer the Risk
If an organisation finds it too difficult or too expensive to amend existing security controls or add new ones, it may consider transferring the risk to a third party who is better positioned to manage it (e.g. a third party data centre provider or an insurance company). The organisation will, however, still need to satisfy itself that the person/organisation to whom the risk is being transferred has the capabilities/experience to manage the underlying risk better.
Within InfoSaaS: by engaging a third party to manage the risk better than the organisation can itself, the current risk assessment is finalised to record the current situation. Select the option to automatically create an identical subsequent assessment, which can then be used as the basis for re-assessing vulnerabilities and threats in light of the engagement of the third party. This will present different probability and impact values, and if the third party has been chosen carefully, the identified risk will now be treated.
- Avoid the Risk
The simplest option for managing unacceptable risks is to stop undertaking the activities that gave rise to them altogether. Examples may include prohibiting the conduct of sensitive business over public internet connections, or relocating assets away from areas identified as being in flood zones.
Within InfoSaaS: the current risk assessment is finalised to record the current situation. Select the option to automatically creates an identical subsequent assessment, which can then be used to record that an individual vulnerability or threat no longer applies as a result of an activity no longer taking place.
- Accept the Risk
There are some circumstances where an organisation cannot implement effective controls to manage risks, or the associated costs are prohibitive. In these cases, all stakeholders should be consulted to seek agreement to the risk being accepted before it is formally signed off as such. Accepted risks should be subject to regular reviews in case new opportunities for managing them in an alternative manner arise in the meantime.
Within InfoSaaS: a risk assessment identified as having one or more unacceptable risks, compared with the risk acceptance threshold defined by the organisation within the solution, can be progressed in several ways. In this example, finalise the current assessment to record the current situation, and on the basis that no remedial action can be identified, select the option to transfer the assessment for ISMS Manager review. The ISMS Manager has the option to (a) accept the risk on behalf of the organisation, recording their justification, and defining the next review date, or (b) rejecting the risk, and returning the risk assessment to the Asset Owner to treat the risks as per Option 1.
InfoSaaS and Risk Treatments
InfoSaaS provides a secure, cloud-based risk management solution which is extensively used by customers around the world to help deliver an effective information security culture, and support them in achieving and retaining ISO27001 certifications. Intuitive workflows and informative displays allow users to efficiently identify unacceptable risks, and guide them through a range of options which address the requirements of the ISO27001:2013 standard.
InfoSaaS provides a fully-featured demonstration system, populated with fictitious data, which can be used to test drive and evaluate the solution quickly and easily. With low monthly subscriptions, enthusiastic customer support and a proven track record in supporting successful ISO27001 projects, there’s never been a better time to see why we can improve your organisation’s security.