Risk Treatment and Security Controls
Figure 3. Risk treatment activity according to ISO/IEC 27005:2018
In general, risk treatment gives four options to consider for each and every identified risk. These options are risk modification, retention, avoidance and risk sharing.
Risk modification
The level of risk should be managed by introducing, removing or altering security controls so that the residual risk can be reassessed as being acceptable.
Appropriate and justified controls should be selected to meet the requirements identified by the risk assessment and risk treatment. This selection should also take account of the cost and timeframe for implementation of controls, or technical, environmental and cultural aspects.
In general, controls can provide one or more of the following types of protection: correction, elimination, prevention, impact minimization, deterrence, detection, recovery, monitoring and awareness. During control selection, it is important to weigh the cost of acquisition, implementation, administration, operation, monitoring, and maintenance of the controls against the value of the assets being protected.
Risk retention
The decision on retaining the risk without further action should be taken depending on risk evaluation.
If the level of risk meets the risk acceptance criteria, there is no need for implementing additional controls and the risk can be retained.
Risk avoidance
The activity or condition that gives rise to the particular risk should be avoided.
When the identified risks are considered too high, or the costs of implementing other risk treatment options exceed the benefits, a decision can be made to avoid the risk completely, by withdrawing from a planned or existing activity or set of activities, or changing the conditions under which the activity is operated. For example, for risks caused by nature it can be the most cost-effective alternative to physically move the information processing facilities to a place where the risk does not exist or is under control.
Risk sharing
The risk should be shared with another party that can most effectively manage the particular risk depending on the risk evaluation.
Risk sharing involves a decision to share certain risks with external parties. Risk sharing can create new risks or modify existing, identified risks. Therefore, additional risk treatment may be necessary. Sharing can be done by an insurance that covers the consequences, or by sub-contracting a partner whose role is to monitor the information system and take immediate action to stop an attack before it makes a defined level of damage.
It should be noted that it can be possible to share the responsibility to manage risks but it is not normally possible to share the liability of an impact.
Specific risk treatment starts with selecting the appropriate treatment option – risk modification, retention, avoidance or sharing. According to the chosen risk treatment option, security controls for the system can now be selected and tailored to achieve the desired security objectives. Once the applicable security controls have been identified for a system, the implementation process follows. To facilitate the risk treatment process, a tool (see Annex 1) has been created that helps to record details about the implementation status of the control, required resources, responsible persons and deadlines of control implementation.
The following listed security controls should be considered as a baseline, and not be considered as an exhaustive list of applicable security controls.
The security controls listed in this manual cover the following domains:
- Information security governance and management
- Mobile devices and remote access
- Human resources security (including training)
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security and management of end points
- Network security
- Logging and monitoring
- Backup of systems and data
- Vulnerability and patch management
- Systems development and maintenance
- Supplier relationship management
- Business continuity
- Information security incident management