Back to M2.3.1 - P1 - INFORMATION SECURITY RISK TREATMENT OPTIONS
Selecting the most appropriate information security risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to sector, national or regulatory requirements. Decisions should also take into account risks which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence- but rare (low likelihood- risks.
A number of treatment options can and should be considered and applied either individually or in combination. When selecting risk treatment options, the entity should consider the expectations of the sector and national level. Though equally effective, some risk treatments can be more acceptable to some stakeholders than to others.
The selected risk treatment options should be documented in the risk treatment plan. The treatment plan should clearly identify the priority order in which individual risk treatments should be implemented.
Risk treatment itself can introduce risks. A significant risk can be the failure or ineffectiveness of the risk treatment measures. Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective (see also M6).
Back to M2.3.1 - P1 - INFORMATION SECURITY RISK TREATMENT OPTIONS
