Workshop 2: Specifying controls
Last updated
Last updated
This workshop typically takes place one week after the first workshop (Risk Identification).
The Workshop Facilitator starts the workshop with a brief presentation, which includes a review of the previous workshop (Risks) and the objectives of the current workshop.
Below is an example of a presentation that can help convey the above topics to the participants.
The Workshop Facilitator places the risks identified in the Risk Identification workshop, marked as to be treated by the team itself (‘mitigate’), in the corresponding column, in order of priority (as established in the Risks workshop).
The following topics are addressed using the Canvas.
For each risk, the team discusses which measures would help to reduce the risk. These are written on Post-Its and placed on the Canvas (Controls column), next to the risk they relate to.
For each measure, the team considers how to determine whether the measure is working. The team also proposes a target value by the end of the cycle.
The team discusses who within the team will be responsible for the given measure. He/she will oversee the implementation of the measure. They also discuss what this person needs from others to be successful.
A list of measures.
For each measure:
The risk the measure relates to.
How the effectiveness of the measure will be determined.
A target effectiveness value by the end of this cycle.
Who is responsible for implementing the measure (Control Owner).
The contribution of other team members.
At the end of the workshop, the Workshop Facilitator repeats the agreements on the implementation of measures. He looks ahead to the Alignment Meeting and the next workshop (Effectiveness), where the results achieved will be discussed. He/she also mentions the need for maintaining an incident log, offering a template or tool for it. The Team Captain is responsible for keeping track of this.
After the workshop, the Workshop Facilitator ensures proper documentation is prepared. Below is an example of how this can be done. The Workshop Facilitator shares the documentation with the workshop participants.
Once all teams have completed the Measures Workshop, the Alignment Meeting will follow (see further details below).
As a more advanced step, Policy Cards can be used. These include:
The purpose of the measures (in terms of risk control).
A description of the measures, structured as follows: “To control the risk of X for Asset Y, measures A, B, and C are implemented by person Z. The effectiveness is determined by measurement P, and will be evaluated by person Q in the manner described in R, at time S.”
Possibly a reference to a Control from ISO 27001 Annex A.
A categorization of the measures (cf ISO 27002).
Who the Policy Owner is.