Is it important to account for or acknowledge risks that may not apply to an organization or system? What if you identified a risk that you would typically consider for but would not use due because of the context. Say, for example, your organization is not in a floodplain however it is usual to consider for the flood risk for all locations of your organization. What if you have validated with FEMA 100 Year Flood Zones that the total risk facing the organization is very low since it is not in a location that requires flood insurance? Do you still need to acknowledge the possibility of the threat occurring?
I believe it is essential to acknowledge the risk. We need to document it as very low risk, and very minimum safeguards are required as part of risk assessment. The building code of the location would define minimum safeguard. However, there could be situations where the asset value of the site is very high that you cannot ignore the risk altogether. Say the location is the primary data center for the organization. In such situations, the organization must implement all appropriate controls required to protect from the flood. The assessment needs to be revisited periodically to determine if the risk is significant or not at that time. Each evaluation must be based on current facts and numbers at the time. Continue reading “Acknowledging Non-Applicable Threats”