I literally don’t understand a question that came up on the ISO27k Forum this week. A member asked: ‘Should a control be discontinued because a reassessment showed a lower  acceptable risk score?’  I find it interesting to pick apart the question to explore the reasons why I don't understand it, and the implications. See what you think ...  Any control may legitimately be ‘discontinued’ (removed, unimplemented, retired, replaced, modified etc.) provided that change has been duly thought-through, assessed, justified, and deemed appropriate for whatever reasons.   It may be important, though, to be reasonably certain that discontinuation is, in fact, in the best interests of the organization, and that’s often hard to determine as controls can be quite complex in themselves, and are part of a highly complex ‘control environment’.   A seemingly trivial, unimportant, even redundant control (such as an alert) might turn ...