Risk and Treatment with ISMS.online
In this video, I am going to show you how you go about doing risk treatment very simply and connect it back to the Annex A policies and controls. In the area of 6.1 that has a link back to the risk and treatment plan and a link to the applicable legislation risk register and treatment plan. Both tools are accessible from the tools menu and inside the cluster area. You can also favourite them and add them to your homepage.
Inside the risk register and treatment plan
The risk bank contains a number of risks that are easy to adopt, adapt and add to your plan. At this stage, you will have done your 4.1, 4.2, 4.3 and identified your own internal and external issues, your scope and interested parties from that. All of which factors into the risk.
The input area on the left is simple to follow. The data table at the bottom automatically builds as your risks appear. If you select a risk from the risk map on the right it will display the details in the input area. This includes threat and consequences. The level that you would want to get to is where you are tolerating your residual risk, by managing and treating them. Each risk should have an owner and a due date based on the risk’s position in the risk map.
Down the table will show you how you are treating the risk. We provide you with examples in the risk bank of controls that will help you around the risk that you have identified, but you might also choose to add additional controls and treat the risk outside of Annex A. So you might task and document in this area about how you are dealing with the risk. Really good practice is to link it back to the Annex A controls. Your auditor will be expecting to see and understand that you are doing that.