The risk treatment plan brings you structure the BSI basic protection or reduce the measures on the unacceptable risks the extent of the measures is now often a weighty reason to by the very good BSI-Grundschutz to avert. In the BSI-Grundschutz a risk analysis, nor a treatment of risk of – are intended for medium protection needs as we know it from the ISO 27001 -. This has advantages. Unfortunately but also the disadvantage that we should find several thousand measures and implement in a medium-sized IT network (20 to 30 items); many of the 1300 BSI measures multiple lists various target objects. But now there are remedies. Recently Royal Dutch Shell sought to clarify these questions. In opus i, we have realized the risk assessment and risk treatment for all 650 BSI basic protection hazards and allow the user the 1300 BSI measures after his to consider acceptance of risk. He determined from its risk perspective (risk appetite), which risks unacceptable ALARP or are acceptable and automatically – click – a risk treatment plan to the risks and Measures. How goes it? We create the risk analysis in five steps, where only the first four are necessary: probability set 1, damage set 2, 3.
risk matrix with the mouse capture, the BSI hazards according to (1) and (2) classify 4…. as far as the necessary steps. This risk analysis, we put on the IT network and opus i created the risk treatment plan with a mouse click. This risk treatment plan is the basis for the PDCA cycle. A picture says more than thousand words. Look at the result here. The password is ‘opusi’ download/pressedownload/03.zip PS: we have generated programmatically the step 4 of the risk analysis randomly; not every threat must be so realistic.