Mitigating Controls for Risk Management

Mitigating controls are the key to reducing threats to assets, in regards to risk management. These mitigating controls can be found within standards, such as ISO/IEC 27001, and suggest measures to take in order to reduce risk to an organization’s assets. In this blog post we will be covering threats, assets and mitigating controls as well as the connections between those three in RM Studio.

It is important to understand what each item is in regards to risk management. We have defined Assets, Threats, and Mitigating Controls below:

Assets: Assets are any tangible or intangible economic resources which can be owned or used to produce value.

Threats: A threat is an act, which may be man-made, accidental or an act of nature, which can cause potential harm.

Mitigating Controls: Mitigating controls are put in place to reduce either the probability or consequences of a threat.

On a number of occasions we have been asked “How can mitigating controls be assigned to assets?” This is a fair question since the purpose of doing a risk assessment is to identify your assets, the risk imposed to the assets and then find a measure of reducing said risk. The answer to the question is however that mitigating controls are not assigned to assets, at least not directly. Mitigating controls are, as stated in the definition, methods used to reduce the overall impact of a threat. The mitigating controls are therefore assigned to appropriate threats. The threats on the other hand are connected to one or more assets, ergo mitigating controls will help protect the asset(s) defined in your risk assessment. The following illustration highlights this relationship.

This might be easier to explain with a short example:Let’s say that we have identified a computer server as a major asset to our organization. This server contains a fair amount vital and confidential data. Therefore we have identified malicious attack as one of the threats opposing our asset. The next step is to assign value to the asset (in RM Studio this value is based on Value, Confidentiality, Integrity and Availability) and the threat (in RM Studio this is based on Impact, Probability and Vulnerability of Asset). After finishing this step (for all threats and assets), we realize that malicious attack on our computer server is one of the largest threats opposing our server. Now we decide to take action to reduce this risk, i.e. implement a mitigating control(s). A good example in this case would be to install anti-virus system and set up a firewall. By doing so, we have reduced the impact of the threat which results in a lower security risk towards our server. The following illustration highlights this process.

One of RM Studio benefits is that it assists ISO/IEC 27000 series users by linking predefined asset categories to threats, which are in turn linked to mitigating controls. Further, in RM Studio assets and threats are assigned to one or more asset category. By doing this RM Studio creates a connection between the assets and threats, all assets and threats belonging to the same category are interconnected.

RM Studio is equipped with a Threat Library of threats and vulnerabilities associated with ISO 27001 & 27005, as well as an extensive Asset Category list mapped to the threats. If users feel that the built in tools don’t quite fulfill all their needs, it’s very simple to create new threats and/or asset categories that meet the users’ demands.