Risk Assessment and Treatment Process
ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016
Risk Assessment and Treatment Process
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document The Risk Assessment and Treatment Process documents how risk assessments will be carried out and the resulting risks treated.
Areas of the standard addressed The following areas of the ISO/IEC 20000:2011 standard are addressed by this document: 6. Service delivery processes 6.3 Service continuity and availability management 6.3.1 Service continuity and availability requirements 6.6 Information security management 6.6.1 Information security policy
General Guidance The intention of this document is to provide a process that can be used for both service continuity and information security related risk assessments, as these obviously have a fair degree of overlap. The risk assessment process underpins much of the ISO/IEC 20000 standard and it is worth spending some time to understand its main points. If you have a corporate risk assessment process within your organization then you should either adopt that or ensure that this process is in harmony with it. There is an international standard for risk management which may be worth obtaining – ISO 31000:2009. This is not required for ISO/IEC 20000 but gives the “official� view of how risk management should be carried out. The important aspects are that you identify, assess and treat the risks, implementing appropriate controls which can be referenced back to the risk(s) they address.
Review Frequency We would recommend that this document is reviewed annually.
Version 1
Page 1 of 18
[Insert date]
Risk Assessment and Treatment Process
Toolkit Version Number ISO/IEC 20000 Toolkit Version 6 ©CertiKit 2016.
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person
Version 1
Page 2 of 18
[Insert date]
Risk Assessment and Treatment Process
identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 18
[Insert date]
Risk Assessment and Treatment Process
[Replace with your logo]
Risk Assessment and Treatment Process
Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 18
SMS-DOC-066-2 1 [Insert date]
[Insert date]
Risk Assessment and Treatment Process
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 18
Date
[Insert date]
Risk Assessment and Treatment Process
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
RISK ASSESSMENT AND TREATMENT PROCESS .......................................................................... 8 2.1 CRITERIA FOR PERFORMING INFORMATION SECURITY RISK ASSESSMENTS .............................................. 8 2.2 PROCESS DIAGRAM ................................................................................................................................... 9 2.3 IDENTIFICATION OF RISKS ....................................................................................................................... 10 2.3.1 Identify Risk Scenarios.................................................................................................................. 10 2.3.2 Assess the Likelihood .................................................................................................................... 10 2.3.3 Assess the Impact .......................................................................................................................... 10 2.4 RISK ANALYSIS AND EVALUATION ......................................................................................................... 11 2.4.1 Numerical Classification .............................................................................................................. 11 2.4.2 Risk Acceptance Criteria .............................................................................................................. 12 2.4.3 Risk Assessment Report ................................................................................................................ 12 2.5 RISK TREATMENT ................................................................................................................................... 13 2.5.1 Risk Treatment Options ................................................................................................................ 13 2.5.2 Risk Treatment Plan...................................................................................................................... 13 2.6 SELECTION OF CONTROLS ....................................................................................................................... 13 2.7 MANAGEMENT APPROVAL ...................................................................................................................... 14 2.8 RISK MONITORING AND REPORTING ....................................................................................................... 14 2.9 REGULAR REVIEW .................................................................................................................................. 14 2.10 ROLES AND RESPONSIBILITIES ........................................................................................................... 14 2.10.1 RACI Chart .............................................................................................................................. 14
3
CONCLUSION.......................................................................................................................................... 16
4
APPENDIX A – LIST OF TYPICAL THREATS .................................................................................. 17
List of Figures FIGURE 1 - RISK ASSESSMENT AND TREATMENT PROCESS ............................................................................................ 9 FIGURE 2 - RISK CLASSIFICATION MATRIX ................................................................................................................ 11
List of Tables TABLE 1- RACI MATRIX .......................................................................................................................................... 15 TABLE 2 - TYPICAL THREATS .................................................................................................................................... 18
Version 1
Page 6 of 18
[Insert date]
Risk Assessment and Treatment Process
1 Introduction The effective management of IT service continuity and information security has always been a priority for [Organization Name] in order to manage risk and safeguard its reputation in the marketplace. However, there is still much to be gained by [Organization Name] and by [Service Provider] in introducing industry-standard good practice processes, not the least of which is the ability to become more proactive in our approach and to gain and maintain a better understanding of our customers’ needs and plans. Risk is the happening of an unwanted event, or the non-happening of a wanted event, which affects a business in an adverse way. Risk is realised when:
the objectives of the business are not achieved the assets of the business are not safeguarded from loss there is non-compliance with organization policies and procedures or external legislation and regulation the resources of the business are not utilised in an efficient and effective manner the confidentiality, integrity and availability of information is not reliable
It is important that [Organization Name] has an effective risk assessment and treatment process in place to ensure that potential impacts do not become real, or if they do, that contingencies are in place to deal with them. It is important also that the process is sufficiently clear so that successive assessments produce consistent, valid and comparable results, even when carried out by different people.
Version 1
Page 7 of 18
[Insert date]
Risk Assessment and Treatment Process
2 Risk Assessment and Treatment Process 2.1
Criteria for Performing Information Security Risk Assessments
There are a number of circumstances in which a risk assessment should be carried out and these will vary in scope. In general these are as follows:
A comprehensive risk assessment covering all information services as part of the initial implementation of the Service Management System (SMS) Updates to the general risk assessment as part of the management review process – this should identify changes to services, threats and vulnerabilities and therefore risk levels As part of projects that involve significant change to the organization, the SMS or its information services As part of the change management process when assessing whether proposed changes should be approved On major external change affecting the organization which may invalidate the conclusions from previous risk assessments e.g. changes to relevant legislation
If there is uncertainty regarding whether a risk assessment is appropriate, the organization should err on the side of caution and carry one out.
Version 1
Page 8 of 18
[Insert date]
Risk Assessment and Treatment Process
2.2
Process Diagram
The process of risk assessment and treatment is shown in the diagram below.
Identify the Risks
Analyse and Evaluate the Risks
Risk Acceptance Criteria
Risk Assessment Report
Identify and Evaluate Options for Treatment
Risk Treatment Plan
Obtain Management Approval for Residual Risks
Monitor and Report
Regular Review
Figure 1 - Risk assessment and treatment process
Each step in this process is described in more detail in the rest of this document.
Version 1
Page 9 of 18
[Insert date]
Risk Assessment and Treatment Process
2.3
Identification of Risks
The process of identifying risks will consist of the following steps in line with the requirements of ISO/IEC 20000. The starting point for the risk assessment is the service catalogue which sets out the services provided and other useful information such as numbers of users and service dependencies. 2.3.1
Identify Risk Scenarios
The identification of risks to information services will be performed by a combination of group discussion and interview with the interested parties. Such interested parties will normally include (where possible):
Manager(s) responsible for the service (service owner) Representatives of the people that normally carry out each aspect of the service Providers of the inputs to the service Recipients of the outputs of the service Appropriate third parties with relevant knowledge Representatives of those providing supporting services and resources to the service Any other party that is felt to provide useful input to the risk identification process
Identified risks will be recorded with as full a description as possible. 2.3.2
Assess the Likelihood
An estimate of the likelihood of the threat occurring must be made. This should take into account whether it has happened before either to this organization or similar organizations in the same industry or location and whether there exists sufficient motive, opportunity and capability for the threat to become real. 2.3.3
Assess the Impact
An estimate of the impact that the loss of confidentiality, integrity or availability of the service could have on the organization should be given. Consideration should be given to the impact in the following areas:
Customers Finance Health and Safety Reputation Knock-on impact within the organization
Version 1
Page 10 of 18
[Insert date]
Risk Assessment and Treatment Process

2.4
Legal, contractual or organizational obligations
Risk Analysis and Evaluation
2.4.1
Numerical Classification
To assess the risk to a service and determine the appropriate treatment, [Organization Name] will examine the threats, the likelihood that the threat will take place and the impact of it should it occur. A 5-point scale will be used to describe the likelihood of a risk taking place and also to describe the impact that it is likely to have. The 5-point scale for the likelihood ranges from 1=improbable to 5=almost certain; the 5-point scale for the impact ranges from 1=negligible to 5=very high. The risk matrix shown below illustrates the scales and allows us to prioritise our risks so that they can be managed more effectively.
RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
4
5
Risk Impact
Figure 2 - Risk classification matrix
The risk classification used will be the score obtained from multiplying the likelihood that the risk will occur and the impact it is likely to have. Both scales range from 1 to 5, so the minimum score will be 1 and the maximum score will be 25 as shown in the matrix above. Each risk will be allocated a classification based on its score as follows:
Version 1
Page 11 of 18
[Insert date]
Risk Assessment and Treatment Process
HIGH MEDIUM LOW
– – –
12 or more 5 to 10 inclusive 1 to 4 inclusive
The rationale for indicating the likelihood and impact ratings awarded will be given so that these can be assessed at a later date to see if they have materially changed. This will also assist in ensuring consistency and repeatability in risk assessments. 2.4.2
Risk Acceptance Criteria
The matrix in Figure 2 shows the classifications of risk, where green indicates an acceptable threshold as the likelihood is minimal or/and the impact is minimal. The orange indicates that the risk threshold is medium as the risk is larger as is the impact; so containing those risks is more important than addressing those in the green. The red area indicates the risks that are of the highest priority as both the impact and the risk are relatively high, so measures to contain them must be of the highest priority and, if they cannot be reduced then countermeasures must be in place for these risks. The overall intention of the risk assessment and proposed treatments is to reduce the classification of the risks to an acceptable level e.g. HIGH down to MEDIUM or MEDIUM down to LOW. This is not always possible as sometimes although the score is reduced, it remains in the same classification e.g. reducing the score from 8 to 6 means it still remains a MEDIUM level risk. The organization may decide to accept these risks even though they remain at a MEDIUM rating. The priorities of the items in the Continual Improvement Plan are determined by the highest priority of the Risk Assessment items addressed e.g. if 3 items are addressed by a single action and one is MEDIUM and two LOW, then the priority of the action will be MEDIUM. 2.4.3
Risk Assessment Report
The output from the risk analysis and evaluation stage is the risk assessment report. This shows the following information:
Risk scenario descriptions Controls currently implemented Likelihood (including rationale) Impact (including rationale) Score Classification Risk Owner Whether the risk is accepted or needs treatment
This report is input to the risk treatment stage of the process and must be signed off by management before continuing.
Version 1
Page 12 of 18
[Insert date]
Risk Assessment and Treatment Process
2.5
Risk Treatment
For those risks that are judged to be above the threshold for acceptance by [Organization Name], the options for treatment will then be explored. 2.5.1
Risk Treatment Options
The following options may be applied to the treatment of the identified unacceptable risks: 1. Apply appropriate controls to lessen the likelihood and/or impact of the risk 2. Avoid the risk by taking action that means it no longer applies 3. Transfer the risk to another party e.g. insurer or supplier Judgement will be used in the decision as to which course of action to follow, based on a sound knowledge of the circumstances surrounding the risk e.g.
Business strategy Regulatory and legislative considerations Technical issues Commercial and contractual issues
The Risk Manager will ensure that all parties who have an interest or bearing on the treatment of the risk are consulted. 2.5.2
Risk Treatment Plan
The evaluation of the treatment options will result in the production of the risk treatment plan which will detail:
Risks above the acceptance threshold Services affected Recommended treatment option Control Requirements
This document will be input to the next stage in the process where controls will be selected to meet the identified requirements. 2.6
Selection of Controls
The intention of the application of controls is to reduce the likelihood or impact (or both) of a risk. These controls may be technical, physical or administrative. Annex A of the ISO/IEC 27001:2013 information security standard or similar best practice documentation will be used as the starting point for the identification of appropriate controls to address the information security risk treatment requirements identified as part of the risk assessment exercise.
Version 1
Page 13 of 18
[Insert date]
Risk Assessment and Treatment Process
In the event that the controls set out in Annex A do not address all requirements then additional controls may be implemented. 2.7
Management Approval
At each stage of the risk assessment process management will be kept informed of progress and decisions made, including formal signoff of the proposed residual risks. Management will approve the following documents:  
Risk Assessment Report Risk Treatment Plan
Signoff will be indicated according to [Organization Name] documentation standards. In addition to overall management approval, each treatment should be signed off by the relevant risk owner. 2.8
Risk Monitoring and Reporting
As part of the implementation of new controls and the maintenance of existing ones, key performance indicators will be identified which will allow the measurement of the success of the controls in addressing the relevant risks. These indicators will be reported on a regular basis and trend information produced so that exception situations can be identified and dealt with by management. 2.9
Regular Review
In addition to a full annual review, risk assessments will be evaluated on a regular basis to ensure that they remain current and the applied controls valid. The relevant risk assessments will also be reviewed upon major changes to the business such as office moves, mergers and acquisitions or introduction or new or changed IT services. 2.10 Roles and Responsibilities Within the process of risk assessment there are a number of key roles that play a part in ensuring that all risks are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process. 2.10.1 RACI Chart
The table below clarifies the responsibilities at each step using the RACI model, i.e.:
Version 1
Page 14 of 18
[Insert date]
Risk Assessment and Treatment Process
R= Responsible
A= Accountable
C= Consulted
Role: Information Security Step Manager Identify the risks A/R Risk Acceptance Criteria C Analyse and Evaluate the risks A/R Identify and Evaluate Options A/R for Treatment Select Control Objectives and A/R Controls Obtain Management Approval A for Residual Risks Monitor and Report A/R Regular Review A/R
I= Informed
Business Operational Management Staff C A/R C C
C C C C
C
C
R
C
I C
C C
Table 1- RACI matrix
Further roles and responsibilities may be added to the above table as the risk assessment and treatment process matures within [Organization Name].
Version 1
Page 15 of 18
[Insert date]
Risk Assessment and Treatment Process
3 Conclusion The process of risk assessment and treatment is fundamental to the implementation of a successful Service Management System (SMS) and forms a significant part of the ISO/IEC 20000 standard. By following this process [Organization Name] will go some way to ensuring that the risks that it faces in the day to day operation of its business are effectively managed and controlled.
Version 1
Page 16 of 18
[Insert date]
Risk Assessment and Treatment Process
4 Appendix A – List of Typical Threats The following list may be used as a starting point for creating a relevant list of threats which may apply to the information services identified in the service catalogue. Threat Category Human
Threat
Example
Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss
Someone launches a denial of service attack on your ecommerce website An employee or trusted third party accesses information in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes the customer database A manager loses a memory stick with customer bank details on it
Natural
Fire Flood Severe weather Earthquake Lightning
Your main office burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded No-one can get into the office due to the weather The area of your main office is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building
Technical
Hardware failure Software failure Virus/Malicious code
A key server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your data
Physical
Sabotage Theft Arson
A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find all of your PCs have been stolen Someone with a grudge against your organization starts a fire during the night
Version 1
Page 17 of 18
[Insert date]
Risk Assessment and Treatment Process
Threat Category Environmental
Threat
Example
Hazardous waste Power failure Gas supply failure
A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off
Operational
Process error
Your new data transfer procedure doesn't cater for unexpected circumstances and data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police
Crime scene Table 2 - Typical threats
Version 1
Page 18 of 18
[Insert date]