Information Security Risk Management for ISO 27001/ISO 27002, third edition

CHAPTER 14: RISK TREATMENT AND THE SELECTION OF CONTROLS

Once you have completed the risk assessment, you can move on to the selection of controls.This chapter reviews the requirements of ISO 27001 around control selection, which is also known as ‘risk treatment’.

As we said in chapter 1, there are four risk treatment decisions that can be made:

1.Avoid/reject the risk by deciding not to pursue the practices and/or arrangements that give rise to the risk.

2.Retain/take the risk, keeping it under review.

3.Modify/reduce risks to ‘acceptable’ levels through the application of controls.

4.Share the risk with another party, whether through contract or insurance.

The criterion that is used in making the decision is simple: either the risk is within ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Security Risk Management for ISO 27001/ISO 27002, third edition by Alan Calder, Steve Watkins

CHAPTER 14: RISK TREATMENT AND THE SELECTION OF CONTROLS

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly