ISO 27001 Certification in Vietnam | ISO Certification Body |Online Training

ISO 27001 Certification in Vietnam

International Organization for Standardization (ISO) has revised and published its latest version ISO 27001:2013 for organizations to confidently manage and secure their important data and information. This globally recognized organization developed various standards for business in quality, safety, and Environment management system. ISO 27001 Certification in Vietnam | Short Audit and Reports | certificate in record time | Simple-Transparent | Contact: Call @ +65 3159 1803

Once you have a list of unacceptable risks, you have to go one by one and decide how to treat each – usually, these options are applied:

Decrease the risk: This option is the most common, and it includes implementation of safeguards (controls) – like fire-suppression systems, etc.

Avoid the risk: Stop performing certain task or processes if they incurred such risks that are simply too big to mitigate with any other options – e.g., you can decide to ban the usage of laptops outside of the company premises if the risk of unauthorized access to those laptops is too high (because, e.g., such hacks could halt the complete IT infrastructure you are using).

Share the risk: It means you transfer the risk to another party – e.g., you buy an insurance policy for your building against fire, and therefore you transfer part of your financial risk to an insurance Organization. Unfortunately, this option not has any influence on the incident itself, so the best strategy is to use this option together with options 1) and 2).

Retain the risk: It is the lowest desirable option, and it means your organization accepts the risk without doing anything about it. This option should be used only if the mitigation cost would be higher than the damage an incident would incur.

Before you start the risk treatment

Before starts the risk treatment processing, you should be aware of the main inputs: these are Risk Management Methodology and unacceptable risks from the risk assessment; however, an additional input should also be the available budget for the current year, because very often the mitigation will require an investment.

When selecting new controls, basically there are three types of controls:

Defining new rules: rules are documented through plans, policies, procedures, instructions, etc., although you don’t have to document some less complex processes.

 Implementing new technology

For example, backup systems, disaster recovery locations for alternative data centers, etc.

Changing the organizational structure: In some cases, you will need to introduce a new job function, or change the responsibilities of an existing position.