Hi Eramba community,
I’m in the process of implementing risks to the assets and third parties related to my business. However, I would like to know, in addition to the risks found (based on past incidents or situations) if any of the compliance controls applied within my organization could be also added as risks.
For example,
I have a compliance control that ensures the level of data protection (ISO27001 - 8.2), so to calculate an actual risk I decided to implement it as a risk giving something like the following :
Risk : Inappropriate level of protection
Asset : Financial application
Threat : Fraud
Vulnerabilities : Lack of Integrity, lack of data protection
Impact : High
Probability : Low
Risk Treatment :
Mitigate
Treatment : Internal Controls
My organization’ Internal control
Treatment : Security Policy
My Organization’ security policy
Thanks in advance for any reply to this topic !
Luis