Information Security Risk Management for ISO27001/ISO27002

CHAPTER 13: RISK TREATMENT AND THE SELECTION OF CONTROLS

Once you have completed the risk assessment, you can move on to the selection of controls, and this chapter reviews the requirements of ISO27001 around control selection, which is also known as ‘risk treatment’.

As we said in Chapter 1, there are four risk treatment decisions that can be made:

• accept the risk;

• eliminate the risk by work-around or other arrangements;

• control the risk to bring it to an acceptable level;

• transfer it to a third party (e.g. via insurance).

The criterion that is used in making the decision is simple: either the risk is within the risk tolerance level, in which case it is accepted, or it is not, in which case it must be avoided, controlled or transferred. ...

Get Information Security Risk Management for ISO27001/ISO27002 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Security Risk Management for ISO27001/ISO27002 by Alan Calder, Steve Watkins

CHAPTER 13: RISK TREATMENT AND THE SELECTION OF CONTROLS

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly