Moved a directory, changed some filenames
This commit is contained in:
parent
ae27a60bcf
commit
347706835e
195 changed files with 696 additions and 255 deletions
51
Corpus/Standards/ISO27x/about/Risk Treatment in ISO 27001.md
Normal file
51
Corpus/Standards/ISO27x/about/Risk Treatment in ISO 27001.md
Normal file
|
|
@ -0,0 +1,51 @@
|
|||
# Risk Treatment in ISO 27001
|
||||
|
||||
Based on the ISO 27000 series (specifically ISO 27000 for definitions/overview and ISO 27001 for requirements), the standards outline four primary options for treating information security risks.
|
||||
|
||||
### 1. Options for Risk Treatment
|
||||
According to ISO 27000, which provides the overview and vocabulary for the ISO 27001 standard, a risk treatment decision involves selecting one of the following options[^1][^2]:
|
||||
|
||||
* **Risk Reduction (Applying Controls):** This involves modifying the risk by applying appropriate information security controls to reduce the likelihood or consequences of an incident[^1][^2].
|
||||
* **Risk Retention (Acceptance):** This option involves knowingly and objectively accepting the risk, provided it satisfies the organization's policy and criteria for risk acceptance[^2][^3]. This is an informed decision to take a particular risk, which may occur without treatment or after treatment controls have been applied (residual risk)[^4].
|
||||
* **Risk Avoidance:** This involves deciding not to start or continue with the activity that gives rise to the risk, thereby avoiding the risk entirely.
|
||||
* **Risk Sharing:** This involves sharing the associated risk with other parties, such as through insurance contracts or by working with suppliers.
|
||||
|
||||
### 2. The Risk Treatment Process in ISO 27001
|
||||
ISO 27001 specifies the requirements for applying these options within an Information Security Management System (ISMS). When planning risk treatment, an organization must define and apply a process that includes the following steps:
|
||||
|
||||
* **Select Options:** Select appropriate risk treatment options based on the results of the risk assessment[^5].
|
||||
* **Determine Controls:** Determine the necessary controls to implement the chosen treatment options. Organizations can design these controls themselves or identify them from any source[^6].
|
||||
* **Compare with Annex A:** Compare the determined controls against the list of possible information security controls found in **Annex A** of ISO 27001 to ensure no necessary controls have been overlooked.
|
||||
* **Produce a Statement of Applicability (SoA):** This document must list the necessary controls, justify their inclusion, state whether they are implemented, and justify the exclusion of any Annex A controls[^7].
|
||||
* **Formulate a Plan:** Create an information security risk treatment plan[^8].
|
||||
* **Obtain Approval:** The risk owners must approve the risk treatment plan and accept the residual information security risks (the risk remaining after treatment).
|
||||
|
||||
### 3. Implementing Controls (Risk Reduction)
|
||||
If the decision is to reduce risk by applying controls, ISO 27001 and ISO 27002 provide a comprehensive reference set. ISO 27001 Annex A lists controls derived from ISO 27002, organized into four themes:
|
||||
* **Organizational controls** (e.g., policies, return of assets).
|
||||
* **People controls** (e.g., screening, remote working).
|
||||
* **Physical controls** (e.g., physical security perimeters, clear desk policy).
|
||||
* **Technological controls** (e.g., protection against malware, data leakage prevention).
|
||||
|
||||
### Analogy
|
||||
To visualize these options, imagine you are managing the risk of a car accident:
|
||||
* **Reduction:** You drive a car with advanced brakes and airbags (applying controls).
|
||||
* **Avoidance:** You decide to walk instead of drive (eliminating the activity causing the risk).
|
||||
* **Sharing:** You purchase auto insurance so the financial burden is shared with the insurer.
|
||||
* **Retention:** You understand that despite your safe driving and insurance, a minor scratch might still happen, and you are willing to accept that possibility.
|
||||
|
||||
[^1]: ISO/IEC 27000:2018 3.72 risk treatment process (3.54) to modify risk (3.61), Note 1 to entry
|
||||
|
||||
[^2]: ISO/IEC 27000:2018 4.5.4 Treating information security risks
|
||||
|
||||
[^3]: ISO/IEC 27000:2018 3.57 residual risk risk (3.61) remaining after risk treatment (3.72)
|
||||
|
||||
[^4]: ISO/IEC 27000:2018 3.62 risk acceptance informed decision to take a particular risk (3.61) Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk treatment.
|
||||
|
||||
[^5]: ISO/IEC 27001:2022(E) 6.1.2 Information security risk assessment
|
||||
|
||||
[^6]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment
|
||||
|
||||
[^7]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment Note 3
|
||||
|
||||
[^8]: ISO/IEC 27001:2022(E) 6.1.3 Information security risk treatment e) and f)
|
||||
Loading…
Add table
Add a link
Reference in a new issue