A control is a measure that is implemented to reduce or eliminate the risk from occurring, or to mitigate the impact of the risk if it occurs. A control can be preventive, corrective, or detective, depending on the stage of the risk management process. A control can also be administrative, technical, or physical, depending on the nature of the risk and the organization. A control can be designed, implemented, monitored, and evaluated based on the risk assessment and the risk treatment plan. A control can be documented in the business continuity policy, objectives, plans, procedures, and other relevant documents. A control can be audited to verify its effectiveness and efficiency in achieving the intended outcomes. References:
PECB Certified ISO 22301 Lead Auditor eLearning Training Course1, Module 3: Fundamental principles and concepts of a business continuity management system (BCMS), Lesson 3.2: Business continuity management system (BCMS), Slide 15: Risk management
ISO 22301 Auditing eBook2, Chapter 3: Fundamental principles and concepts of a business continuity management system (BCMS), Section 3.2: Business continuity management system (BCMS), Subsection 3.2.4: Risk management
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit