Once the assessment is completed, the information assets
that have intolerable risk and, therefore, require controls will
be identified. At that time, a document (sometimes referred
to as a risk assessment report) that indicates the risk value for
each asset is created.
Phase 6—Manage the Risks, and Create a Risk
Treatment Plan
To control the impact associated with risk, the organization
must accept, avoid, transfer or reduce the risk to an
acceptable level using risk mitigating controls. The next stage
is performing the gap analysis with the controls provided in
the standard (refer to Annex A of ISO/IEC 27001 or to
ISO/IEC 27002) to create an RTP and an SOA. It is important
to obtain management approval of the proposed residual risks.
The RTP (figure 5) provides:
• Acceptable risk treatment (accept, transfer, reduce, avoid)
• Identification of operational controls and additional
proposed controls, with the help of gap analysis
• A proposed control implementation schedule
Risk
Information security risk
Figure 5—Risk Treatment Plan
Explanations of Risk Treatment Categories
Avoid Accept
Avoid the situation that
creates the risk by proactive
planning, redesigning or
reengineering.
Management should
acknowledge the residual
risk if there is no cost-effective solution.
Reduce
Reduce or mitigate the risk;
refer to the 133 controls
to identify and implement
suitable information security
controls or the other
initiatives in the organization,
e.g., ITIL, COBIT.
Risk and Risk Treatment Example With Applicable Controls
Inappropriately configured
firewall rule sets increasing
the risk of unauthorized
access to critical and/or
privileged network resources
Management performs
and reviews vulnerability
assessments on an annual
basis.
Management has defined
perimeter security controls,
including firewalls and
intrusion detection systems.
Transfer
Is it possible to transfer
some or all of the risk to a
third party (insurer)?
Control Objective
Controls provide reasonable
assurance that data
recorded, processed and
reported remain complete,
accurate and valid
throughout the update and
storage process.
Figure 6—Example SOA for Applicable Controls
ISO/IEC 270001
10. 5. 1 Information Backup
Adopted or Not Adopted
Adopted
Justification
Management has
implemented a strategy for
cyclical backup of data and
programs.
Organization Procedures
and Reference
XXX—Information security
policy
XXX—Information backup
and media protection
procedure
