User
Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21
The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.
Experta
First is important to note that not all controls work on reducing impact. Some of them work to reduce the likelihood.
Considering that, from the mentioned controls, the following works on impact reduction:
A.5.26 - Response to information security incidents: a quick planned response helps eliminate incident causes and decrease impact spreading
A.8.21 - Security of network services: properly configured network services help decrease the spreading of infection of malware, reducing the impact.