Purpose and Scope The organization establishes an information security risk treatment process to:
a) Select risk treatment options, taking into account the results of risk assessment
b) Determine the necessary controls for risk treatment
c) Compare the controls determined in point b) with those listed in Appendix A of ISO/IEC 27001 standard
d) Prepare the Statement of Applicability
e) Develop the risk treatment plan
f) Obtain approval of the plan from the RSGI
Activities Risk Treatment
In risk treatment, suitable measures must be identified and implemented to modify the risk. This involves either removing the risk (eliminating the root cause of the risk), transferring the risk (insurance, outsourcing, etc.), reducing the risk (implementing appropriate controls, etc.), or retaining the risk.
The ISO 27001 standard includes 134 security measures (or controls). The applicability of these 134 controls, along with the reasons for their selection or exclusion, is described in a document called the Statement of Applicability, in a section of the MR 6.1.1 Risk Assessment (VERA).
Based on the Risk Treatment Plan in a section of the MR 6.1.1 Risk Assessment (VERA), a list of instructions and their corresponding controls has been established, grouping them according to their scope (one instruction may implement multiple controls of the same type, for example, those related to network management or personnel).
Risk treatment is carried out through various sections of the MR 6.1.1 Risk Assessment (VERA).
In risk removal, the condition or activity giving rise to the examined risk must be eliminated. Risk removal may involve terminating or relocating activities that pose a deemed high risk. In risk transfer, the risk must be transferred to a party capable of managing it. Risk transfer may introduce new risks or modify existing ones. In risk retention, the decision is made to accept the risk without implementing any measures. Finally, in risk reduction, the impact of a particular risk must be reduced so that the residual risk becomes tolerable. Suitable controls must be selected, considering existing constraints such as time, budget, technical, cultural, and legal factors.
The decision is made to accept the risks because they are compatible with the adopted criteria and because the cost of risk treatment is deemed too high.
Risks are communicated through an information channel to stakeholders both within and outside the organization. This ensures that those responsible for implementing the risk management plan understand the underlying elements on which decisions are based and which require specific actions to be taken.
Risk Monitoring and Review
Risks, assets, threats, and vulnerabilities must be monitored and reviewed to immediately identify significant changes, taking into account legal constraints, competitive aspects, asset values, and risk acceptance criteria.
Appendix A: List of Typical Threats
The following list can be used as a starting point to create a relevant list of threats that may affect the information assets identified in the inventory.