Information Security Risk Treatment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
less than 6.3
00:03
information security risk treatment
00:10
In this lesson,
00:11
we'll go over the requirements for Clause 8.3,
00:16
and we'll also take a look at the supporting documentation for this close.
00:25
So this is where you carry out your risk treatment process that you defined back in close 6.1 point three.
00:32
Generally, you would have already performed an initial risk assessment and treatment by the stage, and this would be your next iteration off the risk assessment and treatment process.
00:45
When performing your information security risk treatment,
00:48
it is important to bear in mind two things.
00:52
Firstly,
00:53
appropriate control selection helps to ensure
00:56
that all necessary controls are included and no unnecessary controls are chosen
01:03
and that the design of control satisfied the required
01:06
dips
01:07
and breath with the ability to mitigate the risk. Appropriately,
01:12
it is important to not burden yourself with unnecessary controls. This can end up in wasted
01:19
money
01:21
as well as time and effort of resource is dedicated to implementing and managing. These controls
01:26
only implement controls that serve a valid purpose and mitigating risk appropriately.
01:32
Having controls for the sake of having controls,
01:34
we'll just end up bogging you down at the end of the day and making things a lot more complicated than they need to be.
01:44
Poor choice of controls can result in an ineffective information security, risk treatment
01:51
and inefficient and overly expensive risk treatment.
01:57
The key to treating risks.
02:00
You want to implement controls
02:02
that are effective in mitigating the risk
02:05
and that do so in a cost effective manner
02:08
ultimately
02:09
win mitigating a risk.
02:12
You want the cost
02:13
off the mitigation
02:15
to be less
02:16
than the cost
02:19
off the risk were to materialize
02:30
the required documentation for this clause.
02:34
It's similar to what we discussed for close 8.2.
02:38
You would need to demonstrate their relationship from the necessary controls to the results of the risk assessment
02:45
and the risk treatment processes
02:47
that is generally done in your statement of applicability.
02:52
So, in other words, your statement of applicability will be one of the outputs considered for this
02:58
close.
03:00
You will also have an updated risk treatment plan,
03:02
which includes any new risk treatment activities
03:07
as well as updates and progress reports
03:09
on existing risk treatment activities.
03:15
You would also have documents of treatment activities
03:17
such as penetration, test reports, control test reports
03:23
project plan
03:23
budgets, current expenditure
03:27
and so forth.
03:30
Management reviews and ordered reports could also be used to support this close
03:36
management reviews in the form off
03:38
management being involved and reviewing the progress and supporting risk treatment opportunities
03:46
and ordered reports either from your internal audits or any other order that takes place within your organization
03:53
that covers risk treatment activities.
04:00
We risk treatment involved. Risk acceptance.
04:02
There must be evidence off the risk acceptance.
04:05
This must include formal Sinus from risk owners
04:10
and other approved stakeholders.
04:13
The decision as to why the risk was approved and accepted
04:17
must also be formally documented
04:19
so that the reasoning behind this is evident
04:30
to recap
04:30
in this lesson. We covered risk treatment
04:33
and how this close 8.3
04:36
is different to close 6.3
04:40
in that they are not so very different at all.
04:42
The 16.3 involves planning,
04:45
while 8.3 involves re performance and ensuring the processes occurring repeatedly and frequently.
04:54
We also took a look at the documentation that is required for the schools
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By