Control Risk Strategies
The control risk strategy will only be completed after the resource attribute valuation (Confidentiality, Integrity and Availability), Control Maturity Assessment and the Risk Assessment are complete.
Divisions
The 'Select Division' filter shows the maximum risk associated with each of the divisions. If multiple risk assesments are completed in different divisions, (which we only recommend if control maturities are assessed differently per division) then it can be worth filtering per division.
Controls
This shows all applicable controls and the related risk score of that control, also displayed is the risk treatment action. Clicking on a control will populate the control overview tab and show the following information.
Control Overview
This shows the 3 values for risk:
These can be modified within the Home -> Organisation -> RA Setup -> Set Up Risk Types.
Risk Treatment Decision
A risk strategy can then be allocated to the controlled risk. The risk owner will be defaulted as the control owner but can be set as any contact within Abriska. An action description allows any difference from the recommendation to be recorded.
Bulk mark risk treatment decision
To bulk mark a risk treatment to a risk appetite level, go to (from dashboard) Control Maturity Assessment > Control Risk Strategies > on the 'Control Count' panel, select the risk appetite level (High, Medium, Low or Negligible - this may be different in your account based on setup preference), once the risk level has been selected you will be presented with a risk review date, risk treatment decision and risk treatment owner to allocate to all controls of this risk appetite level. This will also highlight to you which controls this will be filtered out to. This can also be filtered by division. Within 'Control Filter' > tick 'Filter to division'.
Related Threats
This tab will only be populated once you click on the “Threat” button at the top of the control overview tab. It shows all of the threats that are related to this control, and therefore what threats the organisation is being exposed to having this control at this level of maturity. The maximum score on this table will be the maximum score for the control.
Related Resources/Assets
This tab will only be populated once you click on the “Threat” button at the top of the control overview tab and then click on a threat and it will display all of the related resources. This will show all of the resources that are exposed to this threat as a result of the maturity of this control.
Related Risks
This tab pulls data from the risk register, allowing users to make a more informed decision on the risk strategy for a given control. The related risks are based on the mapping between controls and threats; the risk register is a risk hierarchy of the threats.Maturity Asessment
Once an action has been updated and completed, the maturity of the control and its implementation should be updated. This is a quick link to the maturity assessment page. The control implementation should be updated to reflect the actions completed, and the maturity level can be reassessed to determine if it can be increased by a level.From the control, you can click 'Risk Strategy' to take you back to the control risk strategies page.
Control Risk Attribute Dashboard
This is found on the left panel of the page. The attributes from ISO 27001:2022 have been mapped to the controls in Abriska, allowing you to filter the risk view by:- Operational Capabilities
- Control Types
- Information Security Properties
- Cybersecurity Concepts
- Security Domains
Control risk attributes
Back to Control Maturity Assessment