Documentation - Controls
After the threats have been identified, appropriate measures must be chosen for each threat. The available measures come from the standard chosen for this case, for example NEN-ISO/IEC 27002. It is advisable to keep the chosen standard for this step. It is wise to perform this step with or by someone with sufficient knowledge of the chosen standard.
A control can be chance-reducing, impact-reducing or both. Depending on the approach chosen for a threat, controls are in line with it or not. For example, if one has opted for an evasive approach (reducing the chance), the impact-reducing control are not in line with this. These can still be selected, but the text of the control has been crossed out to make clear that the measure is not in line.
At the top of the control list is the name of the standard from which these controls originate. To the right of it is a cross symbol. If you click on it, a pulldown appears with the threat templates present in RAFIS. Selecting one of these threats ensures that the, according to RAFIS, mitigating controls are accentuated. The current selection, however, is not adjusted.
An exclamation mark icon indicates a conflict. This is if you select controls for a threat that you have accepted or if you have not yet selected controls for a threat that you have not accepted.