Page 1

Assessment Details Completion Guidance Security Classification:

Insert Classification

Risk Assessment Title:

Short, descriptive title

Risk Assessment Scope:

Version:

Describe the scope of the risk assessment e.g. location, process, assets Describe the general environment in which the assessment is carried out and internal and external factors affecting it Set out the factors which will make a risk acceptable and therefore not require treatment Start at Version 1

Dated:

Date the assessment was carried out

Risk Assessor(s):

Approval:

Name and title of person(s) carrying out the risk assessment Names and titles of people contributing to the risk assessment Name and title of approver

Date Approved:

Date the assessment was approved

Context of Risk Assessment:

Risk Acceptance Criteria:

Risk Assessment Participants:


Please Note: Not all columns are shown

Asset

[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]

Risk Owner

(blank)

(blank)

Risk Level

Treatment ...

Calculated

Select…

Asset-Based Risk Assessment and Treatment Tool Start with your most valuable assets and the most likely threats that will cause the highest impact. Risk Description Ref.

Asset

Threat

Vulnerabilities

Pre-Treatment Risk Type

Risk Owner

Existing Controls

Likelihood

Likelihood Rationale

Impact

Impact Rationale

Risk Score

Risk Level

1

Select…

Select…

Select…

Calculated

Calculated

2

Select…

Select…

Select…

Calculated

Calculated

3

Select…

Select…

Select…

Calculated

Calculated

4

Select…

Select…

Select…

Calculated

Calculated

5

Select…

Select…

Select…

Calculated

Calculated

6

Select…

Select…

Select…

Calculated

Calculated

7

Select…

Select…

Select…

Calculated

Calculated

8

Select…

Select…

Select…

Calculated

Calculated

9

Select…

Select…

Select…

Calculated

Calculated

10

Select…

Select…

Select…

Calculated

Calculated

11

Select…

Select…

Select…

Calculated

Calculated

12

Select…

Select…

Select…

Calculated

Calculated

13

Select…

Select…

Select…

Calculated

Calculated

14

Select…

Select…

Select…

Calculated

Calculated

15

Select…

Select…

Select…

Calculated

Calculated

16

Select…

Select…

Select…

Calculated

Calculated

17

Select…

Select…

Select…

Calculated

Calculated

18

Select…

Select…

Select…

Calculated

Calculated

19

Select…

Select…

Select…

Calculated

Calculated

20

Select…

Select…

Select…

Calculated

Calculated


Please Note: Not all rows are shown

Example Assets The following is an initial list of typical assets that may be use as guidance for your risk assessment. (Note - information assets should be captured in more detail in the Information Asset Inventory) Asset Group Sub-Category Business activities

Asset Business-critical activities Supporting activities Compliance

Information

Personally identifiable information (PII) Non-PII Budgets Sales forecasts Corporate plans Corporate policies Customer records - names, addresses, contacts Customer credit card information Customer bank details e.g. Direct Debits Website information Customer preferences and purchase history Customer correspondence and complaints Employee records - address, DOB, insurance numbers Employee expense claims Payroll information, including bank details Training records Recruitment information Security clearance/check information Employee complaints/disciplinary records Sickness/occupational health records Employment contracts

Cloud customer data Corporate

Sales and Marketing

Human Resources


Please Note: Not all rows are shown

Example Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. Threat Category Human

Threat Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss

Example Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses information in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes customer data A manager loses a memory stick with customer bank details on it

Natural

Fire Flood Severe weather Earthquake Lightning

Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building

Technical

Hardware failure Software failure Virus/Malicious code

A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data

Physical

Sabotage Theft Arson

A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night

Environmental

Hazardous waste Power failure Gas supply failure

A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off


Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4

Risk Likelihood

MEDIUM

3

2 LOW 1

1

2

3

Risk Impact

4

5

Profile for CertiKit Limited

ISMS-FORM-06-1 Asset-Based Risk Assessment and Treatment Tool  

ISMS-FORM-06-1 Asset-Based Risk Assessment and Treatment Tool  

Profile for public-it