The risk treatment plan is the immediate output of the RiskAssessment. It defines how, based on the criteria established by senior management, each risk is to be handled. The options are to:
1) Knowingly accept the risk as it falls within the organisation's "risk appetite", in other words management deem the risk acceptable, compared to the cost of improving controls to mitigate it; |
2) Implement a suitable control or combination of controls to reduce (mitigate) the risk to a more acceptable level. Controls may be selected from the best practices defined in ISO 17799 and/or from other sources; |
3) Avoid the risk i.e. do not undertake the associated business activity; |
4) Transfer the risk to another organisation (e.g. through insurance or by contractual arrangements with a business partner).
2 comments:
2007 risk assessment was a 4 step plan now it has become a 7 step plan involving understanding triggers, make a suitable backup plan, and measure your risk threshold.
2007 risk assessment was a 4 step plan now it has become a 7 step plan involving understanding triggers, make a suitable backup plan, and measure your risk threshold.
Bellwether
ISO 27001 Consulting Company
Post a Comment