Identification of Existing Controls

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Lesson 4.4 Identification of existing controls
00:10
In this video, we will cover the identification of controls
00:14
and why this is an important step in your risk management process.
00:21
Controls can be identified from your statement of applicability,
00:25
existing processes and procedures,
00:29
previous orders,
00:31
risk treatment plans
00:33
as well as from your information security I t. Another stuff.
00:40
The purpose of the step is to avoid incurring unnecessary work or cost. For example, by implementing a duplication of controls.
00:50
Before you go into your risk
00:53
assessment and treatment processes, it is important to understand what you already have in place.
01:00
This step also allows you and your team the opportunity to review and assess the existing controls
01:07
to determine if they are actually operating as intended,
01:11
or if additional work on these controls needs to be planned and implemented.
01:15
Any plan. Controls should also be considered here.
01:21
This step should be quite easy. If you've already finished your statement of applicability,
01:26
knowing the controls you already have in place will help you to understand which risks may already have mitigating features around them.
01:34
Understanding the controls you have as well as the current maturity of these controls
01:40
is valuable in seeing if any of these controls are actually creating a vulnerability.
01:46
For example,
01:48
a user access review control that is not happening as per its defined frequency
01:53
can result in a controlled breakdown and therefore be seen as a vulnerability.
02:00
Those who know the control is not operating as it should. Ah, well positioned to potentially take advantage of this.
02:08
If you have controls that our plan to be implemented,
02:13
these are also relevant to the risk assessment and will feed through to risk treatment plan, if not already there.
02:20
At the end of this exercise, you should have some sort of document
02:23
either, as an addendum of sorts to your statement of applicability were documented somewhere else
02:30
that lists the controls that exist their current effectiveness,
02:35
any noted breakdowns as well as controls that are planned to be implemented in future,
02:40
as mentioned
02:43
previous audits, risk treatment plans, information security management processes,
02:49
the information Security and I T staff
02:52
can all be sources to help identify and provide input on these controls
03:00
to summarize
03:01
in this lesson, we covered why existing controls need to be identified
03:07
and we also examine some of the sources that can be used toe assist in this process
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By