scp93ch
commented
1 month ago It occurred to me that the control strategies of this "ignore something" type are in a sense part of the ISO 27005 "Context Establishment" step, as illustrated in the overview paper:
In the way we implement the process, the scope of the analysis is reflected primarily in the assets and relations, but then (after validation) in these particular control strategies. The scoping aspect of the initial "Context Establishment" step in the ISO process can be understood as deciding the scope, which is then reflected in these different aspects.
In the risk report, as being generated in the risk reporting tool, we need to be able to provide a list of abbreviated attack paths (root cause, intermediate cause), the uncontrolled consequence, the control strategy applied and the impact level and before and after likelihood, and risk levels.
Some of our control strategies are e.g. "ignore physical threats from world" and if such a strategy is used in a model then it may appear in the risk report the same as any other "proper" control strategy. We need to treat them differently in the risk report, either by putting them in a separate part of the report (e.g. "things we've ignored") or removing them altogether.
If there is no explicit way of identifying these "ignore something" control strategies, can we add one?