Question: Link Treatment Options (Asset Risks) and Mitigation Options (Compliance Analysis)


I am trying to create an ISO 27001 based Risk Management. Asset Risks are created and mapped as drivers to the Annex A / ISO 27002 Compliance Analysis Items, as stated in the documentation.
During Risk treatment, I linked various policies and controls to the asset risks already, but I think it would also be helpful to have these also linked against the Compliance Items - so that in a report / SoA of the Compliance Analysis, not only the applicability and drivers would be contained, but also the selected measures.
Because I do not want to do things twice, is there any possibility do add/sync measures which I select as treatment for a Asset Risk automatically to the corresponding Compliance Analysis item(s)?

This is a little bit of an odd one - in most other modules, the asset risk relationship would be present and you’d simply use the filter to pull in the asset risks related to the control(s) you selected on the mitigation strategy and declare victory.

However, I suspect the intention was to allow a user to select a subset of asset risks as opposed to all for purposes of demonstrating which risks are connected.

The most efficient way to go about it would be to sort out a bulk import and some of the data can be exported from the asset risk module to give you those mappings. Give it a stir and you should be able to get the analysis done a lot faster…

1 Like

hi Rainer,
nope, you need to do this manually.

Any plans to improve that?

this topic is part of a larger topic which is incredibly complicated and expensive. i’ll try to think about it but there is absolutely no priority for us on this one.