Detailing the Risk Treatment Management

[sfred92]

Hello to everyone,
In Monarc, there is the possibiility to add explanations, models or details on the context, threats evaluation, or to modify the labal of vulnerabilities.
But nothing on the risks themselves., apart the possibility to add some text in "Risks Management Organisation" and some "already implemented" text in the final report, ch. 2.2.4, (Table of Risks) detailing the risks thresholds.

In fact, it would be interesting and very useful to have the possibility to explain somewhere how the risks are treated or validated, and why some are accepeted or denied.
This could be added in another bullet in "Context Establishment", or more logically, in another bullet point in "Evaluation and treatment of risks".
These details would then appear in the final report, and change the text of ch. 2.2.4.

Feel free to ask me if I have not been clear enough :-)

Thank you.
Frederic

[ruslanbaidan]

Thank you for sharing your idea.
Would it be possible to provide some screenshots on where you exactly propose the explanations to be placed ?
The other thing that is a bit blurry:

This could be added in another bullet in "Context Establishment", or more logically, in another bullet point in "Evaluation and treatment of risks"

Every risk has Risk Context field where any details could be described, is it not useful for this need or the purpose is different ?

[sfred92]

The explanations could be placed in a new stage in phase 3 (Evaluation and treatment of risks). For example:

What I would expect in this stage:

• Definition of Risk thresholds (Red, Orange, Green, as in Ch. 2.2.4 of final report)
• How the risks are treated
• How the risks and their treatments are validated

To summarize, the purpose would be to enhance this chapter of Final Report,:

At the end, it would help to better answer to ISO 27001 which requests to detail how and why (objectives of Security Policy) the risks are treated.

I hope I have been more clear :-)

Frederic