7 hours 52 minutes
less than 6.3
information security risk treatment
In this lesson,
we'll go over the requirements for Clause 8.3,
and we'll also take a look at the supporting documentation for this close.
So this is where you carry out your risk treatment process that you defined back in close 6.1 point three.
Generally, you would have already performed an initial risk assessment and treatment by the stage, and this would be your next iteration off the risk assessment and treatment process.
When performing your information security risk treatment,
it is important to bear in mind two things.
appropriate control selection helps to ensure
that all necessary controls are included and no unnecessary controls are chosen
and that the design of control satisfied the required
and breath with the ability to mitigate the risk. Appropriately,
it is important to not burden yourself with unnecessary controls. This can end up in wasted
as well as time and effort of resource is dedicated to implementing and managing. These controls
only implement controls that serve a valid purpose and mitigating risk appropriately.
Having controls for the sake of having controls,
we'll just end up bogging you down at the end of the day and making things a lot more complicated than they need to be.
Poor choice of controls can result in an ineffective information security, risk treatment
and inefficient and overly expensive risk treatment.
The key to treating risks.
You want to implement controls
that are effective in mitigating the risk
and that do so in a cost effective manner
win mitigating a risk.
You want the cost
off the mitigation
to be less
than the cost
off the risk were to materialize
the required documentation for this clause.
It's similar to what we discussed for close 8.2.
You would need to demonstrate their relationship from the necessary controls to the results of the risk assessment
and the risk treatment processes
that is generally done in your statement of applicability.
So, in other words, your statement of applicability will be one of the outputs considered for this
You will also have an updated risk treatment plan,
which includes any new risk treatment activities
as well as updates and progress reports
on existing risk treatment activities.
You would also have documents of treatment activities
such as penetration, test reports, control test reports
budgets, current expenditure
and so forth.
Management reviews and ordered reports could also be used to support this close
management reviews in the form off
management being involved and reviewing the progress and supporting risk treatment opportunities
and ordered reports either from your internal audits or any other order that takes place within your organization
that covers risk treatment activities.
We risk treatment involved. Risk acceptance.
There must be evidence off the risk acceptance.
This must include formal Sinus from risk owners
and other approved stakeholders.
The decision as to why the risk was approved and accepted
must also be formally documented
so that the reasoning behind this is evident
in this lesson. We covered risk treatment
and how this close 8.3
is different to close 6.3
in that they are not so very different at all.
The 16.3 involves planning,
while 8.3 involves re performance and ensuring the processes occurring repeatedly and frequently.
We also took a look at the documentation that is required for the schools