Actions to Address Risks and Opportunities Part 3

00:01

Lesson 4.9 point three

00:04

Actions to address risks and opportunities

00:07

Close 6.1 point three Information Security risk treatments

00:14

In this video, we're going to cover the risk treatment methods,

00:18

and we'll also have a look at the mandatory documentation for this clause.

00:27

Generally, there are four main types of risk treatment options

00:32

in the risk evaluation section. We spoke quite a bit about risk acceptance. This is the first method of risk treatment.

00:40

You accept a risk

00:42

when a risk is at a level

00:44

that falls within your acceptable risk tolerance levels.

00:49

For example,

00:50

if your organization has established that it will accept all risks under a Level two,

00:57

as well as risks

01:00

that will not exceed

01:02

a 10% off the

01:06

replacement acid cost to fix

01:08

whatever

01:10

the cases

01:15

Thesiger treatment option is mitigate.

01:19

This is one of the most common

01:21

risk treatment options,

01:23

as this generally involves the implementation, off controls

01:26

or the improvement of existing controls.

01:30

You can have one or multiple controls to mitigate a risk.

01:37

Mitigating the risk seeks to either reduce the likelihood off the risk occurring

01:42

or reduce the impact off the risk occurring

01:47

or reduced. Both the likelihood and the impact of the risk occurring.

01:53

The next treatment option

01:55

is to avoid the risk.

01:57

This means that whatever activity is associate ID with that risk or would give rise to the risk

02:05

that would be stopped entirely,

02:07

meaning it is too risky to use a cloud service provider, for example. So therefore, we won't use a cloud service provider. We would rather do everything ourselves and keep all information that we need in house,

02:22

not leverage off any external platforms.

02:27

The fourth risk treatment option is to transfer a risk.

02:31

The most common example of this is to take out insurance.

02:37

This does not get rid of the risk.

02:39

The risk is still yours. At the end of the day, you cannot transfer the ownership accountability for the risk.

02:47

You can only transfer

02:51

the impact

02:52

off the risk. Occurring

02:55

insurance would pay you out a compensating fee for a security incident,

03:00

which would make it easier for your organization to recover and manage that incident.

03:07

Another option in transfer

03:10

is to use a specialist third party for a specific service.

03:16

For example,

03:19

you want to perform penetration tests in your organization,

03:23

but it is too risky for you to do yourself as you do not have the qualified personal in house.

03:30

Therefore,

03:30

you will transfer that risk and get a third party in to perform those assessments for you.

03:37

This in itself can present different risks, but probably with different scales and ones that would fall within your acceptable

03:45

risk levels.

03:46

So what is the documentation that is required for close 6.1 point three?

03:53

The standard is not prescriptive about what your documentation needs to look like or how it needs to be done. That part is up to you,

04:01

but there are a couple of things that are required to be documented in some way off.

04:08

The first document that you will have

04:11

outlining your controls is the statement of applicability

04:14

as discussed previously.

04:15

These are all the controls you have deemed relevant and necessary to manage information security within your organization.

04:24

It is important that controls which are not applicable to your environment

04:28

are explicitly justified as to why they are not applicable

04:32

in the same sense. The controls that are applicable should be justified through a reference to your initial risk assessment.

04:41

This shows a justification of the controls as each control is associated to a specific risk

04:46

and works to mitigate the risk in some way,

04:49

strength through effectiveness. Off the control determines how much a risk is mitigated.

04:55

That is a determination to be made by your organization. During the initial risk assessment,

05:00

I saw a 27,001

05:03

recommends using the ISO 27,002

05:06

or an extra A

05:08

for the controls framework upon which to base your statement of applicability.

05:13

You can, of course, use any of the available controls frameworks

05:16

such as in a special publication 53.

05:19

The ISF standard of good practice privacy laws is a 23 22 3 or one, etcetera.

05:28

So why is this statement of applicability required documentation for floor 6.1 point three?

05:33

This shows the applicable controls with links to items on the risk register.

05:40

It also shows non applicable controls with justification.

05:46

The statement of applicability shows

05:47

that existing controls have addressed some or other risk in some way off

05:56

your risk treatment process. The ways in which you go about treating risks should be documented

06:02

as you assign different risk owners that are not necessarily part of your direct I sem s team or even have an information security background

06:12

should be equipped with the appropriate knowledge

06:14

guidelines of hard to properly treat risks.

06:18

This can include the methods that need to be employed. Example controls contact people to work with and so forth.

06:28

The risk treatment plan is the key piece of documentation that comes out of 46.1 point three

06:34

for every risk that needs to be treated,

06:39

specifically requiring a mitigation

06:42

or a chance for level of treatment. This would come through into your risk treatment plan.

06:48

Risks that have been accepted

06:50

and avoided

06:53

should also be documented in the risk treatment plan. But these will obviously require a lot less documentation and if it around them,

07:01

the risk treatment plan should contain plans for treating risks within the set due dates.

07:09

The plan should also contain the owners or the responsible teams or personal

07:13

that will oversee the achievement efforts.

07:16

It is also a good thing to include progress updates in the plan

07:21

to show that the risk treatment process has been monitored closely

07:27

in regular progress updates fit into the plan.

07:31

You're probably also generate stand alone reports on your progress.

07:35

This will include various metrics to prove that risk treatment is being regularly tracked and acted upon.

07:43

This would be presented at somewhat other forum to your top management

07:46

for your information security management for him

07:49

just to report back on results, and if any support or deviations have occurred,

07:56

then this would need to be presented here.

08:01

In this video, we covered the full main types of risk treatment actions

08:05

and what each one means.