Risk Treatment: An Iterative Method for Identifying Controls

Due to the increasing number of security incidents in the last years, the consideration of security during software development becomes more and more important. A certain level of security can be achieved by applying suitable countermeasures. The ISO 27001 standard demands a risk-based selection of countermeasures, i.e. controls, for information security. Risk serves as a prioritization criterion for selecting controls. To reduce the development effort, security should be addressed as early as possible in the software development lifecycle.