Question - Converting Compliance Controls to risks

Hi Eramba community,

I’m in the process of implementing risks to the assets and third parties related to my business. However, I would like to know, in addition to the risks found (based on past incidents or situations) if any of the compliance controls applied within my organization could be also added as risks.

For example,
I have a compliance control that ensures the level of data protection (ISO27001 - 8.2), so to calculate an actual risk I decided to implement it as a risk giving something like the following :
Risk : Inappropriate level of protection
Asset : Financial application
Threat : Fraud
Vulnerabilities : Lack of Integrity, lack of data protection
Impact : High
Probability : Low
Risk Treatment :
Treatment : Internal Controls
My organization’ Internal control
Treatment : Security Policy
My Organization’ security policy

Thanks in advance for any reply to this topic !


You’ll take part on next week online training and i’m sure you will understand then that in eramba you can document whatever you think is worth documenting_ … there is not really “wrong” and “right” … in all these years and hundreds of customers we have learn that all too well !

1 Like