...
- A completed risk assessment, analysis of the identified risks and prioritisation (ISO/IEC 27001 §6.1.2)
- A list of risk owners
If this is not first time you are thinking about controls then you will need to take into account:
- The effectiveness of previously selected controls
- The results of previous risk assessments
- The evaluation of monitoring and measuring activities
This page aims to address ISO/IEC 27001 §6.1.3 Information Security Risk Treatment
i.e. select treatment options (not necessarily controls - e.g. accept, insure, stop certain activities/behaviour, etc.), determine applicable controls to mitigate risk (ref lists below), produce a statement of applicability for implementing the controls.
Control sets
You will need to decide on what set of controls is most appropriate to use in your organisation. It is from this set that you will select the controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
- ISO/IEC 27001:2013 Annex A
- CIS Critical Security Controls
- The Australian "Essential Eight" maturity model (technical controls)
There may be also be controls specific for your country. The UK specifies five controls for basic cyber hygiene in the Cyber Essentials standard, and controls/objectives for operators of essential services under the NIS Directive are published by NCSC.
...