Page 1

Risk Assessment and Treatment Process

ISO/IEC 20000 Toolkit Version 9 ©CertiKit


Risk Assessment and Treatment Process

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document The Risk Assessment and Treatment Process documents how risk assessments will be carried out and the resulting risks treated.

Areas of the standard addressed The following areas of the ISO/IEC 20000:2018 standard are addressed by this document: 8.7.2 Service continuity management 8.7.3.2 Information security controls

General Guidance The intention of this document is to provide a process that can be used for both service continuity and information security related risk assessments, as these obviously have a fair degree of overlap. The risk assessment process underpins much of the ISO/IEC 20000 standard and it is worth spending some time to understand its main points. If you have a corporate risk assessment process within your organization then you should either adopt that or ensure that this process is in harmony with it. There is an international standard for risk management which may be worth obtaining – ISO 31000. This is not required for ISO/IEC 20000 but gives the “official” view of how risk management should be carried out. The important aspects are that you identify, assess and treat the risks, implementing appropriate controls which can be referenced back to the risk(s) they address.

Review Frequency We would recommend that this document is reviewed annually.

Toolkit Version Number ISO/IEC 20000 Toolkit Version 9 ©CertiKit.

Version 1

Page 2 of 19

[Insert date]


Risk Assessment and Treatment Process

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions.

Copyright notice Except for any third-party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Version 1

Page 3 of 19

[Insert date]


Risk Assessment and Treatment Process

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 19

[Insert date]


Risk Assessment and Treatment Process

[Replace with your logo]

Risk Assessment and Treatment Process

Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 5 of 19

SMS-DOC-087-11 1 [Insert date]

[Insert date]


Risk Assessment and Treatment Process

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 6 of 19

Date

[Insert date]


Risk Assessment and Treatment Process

Contents 1

INTRODUCTION ....................................................................................................................................... 8

2

RISK ASSESSMENT AND TREATMENT PROCESS .......................................................................... 9 2.1 CRITERIA FOR PERFORMING INFORMATION SECURITY RISK ASSESSMENTS .............................................. 9 2.2 PROCESS DIAGRAM ................................................................................................................................. 10 2.3 IDENTIFICATION OF RISKS ....................................................................................................................... 11 2.3.1 Identify Risk Scenarios.................................................................................................................. 11 2.3.2 Assess the Likelihood .................................................................................................................... 11 2.3.3 Assess the Impact .......................................................................................................................... 11 2.4 RISK ANALYSIS AND EVALUATION ......................................................................................................... 12 2.4.1 Numerical Classification .............................................................................................................. 12 2.4.2 Risk Acceptance Criteria .............................................................................................................. 13 2.4.3 Risk Assessment Report ................................................................................................................ 13 2.5 RISK TREATMENT ................................................................................................................................... 13 2.5.1 Risk Treatment Options ................................................................................................................ 14 2.5.2 Risk Treatment Plan...................................................................................................................... 14 2.6 SELECTION OF CONTROLS ....................................................................................................................... 14 2.7 MANAGEMENT APPROVAL ...................................................................................................................... 15 2.8 RISK MONITORING AND REPORTING ....................................................................................................... 15 2.9 REGULAR REVIEW .................................................................................................................................. 15 2.10 ROLES AND RESPONSIBILITIES ........................................................................................................... 15 2.10.1 RACI Chart .............................................................................................................................. 15

3

CONCLUSION.......................................................................................................................................... 17

4

APPENDIX A – LIST OF TYPICAL THREATS .................................................................................. 18

List of Figures FIGURE 1 - RISK ASSESSMENT AND TREATMENT PROCESS .......................................................................................... 10 FIGURE 2 - RISK CLASSIFICATION MATRIX ................................................................................................................ 12

List of Tables TABLE 1- RACI MATRIX .......................................................................................................................................... 16 TABLE 2 - TYPICAL THREATS .................................................................................................................................... 19

Version 1

Page 7 of 19

[Insert date]


Risk Assessment and Treatment Process

1 Introduction The effective management of service continuity and information security has always been a priority for [Organization Name] in order to manage risk and safeguard its reputation in the marketplace. However, there is still much to be gained by [Organization Name] and by [Service Provider] in introducing industry-standard good practice processes, not the least of which is the ability to become more proactive in our approach and to gain and maintain a better understanding of our customers’ needs and plans. Risk is the happening of an unwanted event, or the non-happening of a wanted event, which affects a business in an adverse way. Risk is realised when: • • • • •

the objectives of the business are not achieved the assets of the business are not safeguarded from loss there is non-compliance with organization policies and procedures or external legislation and regulation the resources of the business are not utilised in an efficient and effective manner the confidentiality, integrity and availability of information is not reliable

It is important that [Organization Name] has an effective risk assessment and treatment process in place to ensure that potential impacts do not become real, or if they do, that contingencies are in place to deal with them. It is important also that the process is sufficiently clear so that successive assessments produce consistent, valid and comparable results, even when carried out by different people.

Version 1

Page 8 of 19

[Insert date]


Risk Assessment and Treatment Process

2 Risk Assessment and Treatment Process 2.1

Criteria for Performing Information Security Risk Assessments

There are a number of circumstances in which a risk assessment should be carried out and these will vary in scope. In general these are as follows: • • • • •

A comprehensive risk assessment covering all information services as part of the initial implementation of the Service Management System (SMS) Updates to the general risk assessment as part of the management review process – this should identify changes to services, threats and vulnerabilities and therefore risk levels As part of projects that involve significant change to the organization, the SMS or its information services As part of the change management process when assessing whether proposed changes should be approved On major external change affecting the organization which may invalidate the conclusions from previous risk assessments e.g. changes to relevant legislation

If there is uncertainty regarding whether a risk assessment is appropriate, the organization should err on the side of caution and carry one out.

Version 1

Page 9 of 19

[Insert date]


Risk Assessment and Treatment Process

2.2

Process Diagram

The process of risk assessment and treatment is shown in the diagram below.

Identify the Risks

Analyse and Evaluate the Risks

Risk Acceptance Criteria

Risk Assessment Report

Identify and Evaluate Options for Treatment

Risk Treatment Plan

Obtain Management Approval for Residual Risks

Monitor and Report

Regular Review

Figure 1 - Risk assessment and treatment process

Each step in this process is described in more detail in the rest of this document.

Version 1

Page 10 of 19

[Insert date]


Risk Assessment and Treatment Process

2.3

Identification of Risks

The process of identifying risks will consist of the following steps in line with the requirements of ISO/IEC 20000. The starting point for the risk assessment is the service catalogue which sets out the services provided and other useful information such as numbers of users and service dependencies. 2.3.1

Identify Risk Scenarios

The identification of risks to information services will be performed by a combination of group discussion and interview with the interested parties. Such interested parties will normally include (where possible): • • • • • • •

Manager(s) responsible for the service (service owner) Representatives of the people that normally carry out each aspect of the service Providers of the inputs to the service Recipients of the outputs of the service Appropriate third parties with relevant knowledge Representatives of those providing supporting services and resources to the service Any other party that is felt to provide useful input to the risk identification process

Identified risks will be recorded with as full a description as possible. 2.3.2

Assess the Likelihood

An estimate of the likelihood of the threat occurring must be made. This should take into account whether it has happened before either to this organization or similar organizations in the same industry or location and whether there exists sufficient motive, opportunity and capability for the threat to become real. 2.3.3

Assess the Impact

An estimate of the impact that the loss of confidentiality, integrity or availability of the service could have on the organization should be given. Consideration should be given to the impact in the following areas: • • • • •

Customers Finance Health and Safety Reputation Knock-on impact within the organization

Version 1

Page 11 of 19

[Insert date]


Risk Assessment and Treatment Process

•

2.4

Legal, contractual or organizational obligations

Risk Analysis and Evaluation

2.4.1

Numerical Classification

To assess the risk to a service and determine the appropriate treatment, [Organization Name] will examine the threats, the likelihood that the threat will take place and the impact of it should it occur. A 5-point scale will be used to describe the likelihood of a risk taking place and also to describe the impact that it is likely to have. The 5-point scale for the likelihood ranges from 1=improbable to 5=almost certain; the 5-point scale for the impact ranges from 1=negligible to 5=very high. The risk matrix shown below illustrates the scales and allows us to prioritise our risks so that they can be managed more effectively.

RISK SCORE 5 HIGH 4

Risk Likelihood

MEDIUM

3

2 LOW 1

1

2

3

4

5

Risk Impact

Figure 2 - Risk classification matrix

The risk classification used will be the score obtained from multiplying the likelihood that the risk will occur and the impact it is likely to have. Both scales range from 1 to 5, so the minimum score will be 1 and the maximum score will be 25 as shown in the matrix above. Each risk will be allocated a classification based on its score as follows:

Version 1

Page 12 of 19

[Insert date]


Risk Assessment and Treatment Process

• • •

HIGH MEDIUM LOW

– – –

12 or more 5 to 10 inclusive 1 to 4 inclusive

The rationale for indicating the likelihood and impact ratings awarded will be given so that these can be assessed at a later date to see if they have materially changed. This will also assist in ensuring consistency and repeatability in risk assessments. 2.4.2

Risk Acceptance Criteria

The matrix in Figure 2 shows the classifications of risk, where green indicates an acceptable threshold as the likelihood is minimal or/and the impact is minimal. The orange indicates that the risk threshold is medium as the risk is larger as is the impact; so containing those risks is more important than addressing those in the green. The red area indicates the risks that are of the highest priority as both the impact and the risk are relatively high, so measures to contain them must be of the highest priority and, if they cannot be reduced then countermeasures must be in place for these risks. The overall intention of the risk assessment and proposed treatments is to reduce the classification of the risks to an acceptable level e.g. HIGH down to MEDIUM or MEDIUM down to LOW. This is not always possible as sometimes although the score is reduced, it remains in the same classification e.g. reducing the score from 8 to 6 means it still remains a MEDIUM level risk. The organization may decide to accept these risks even though they remain at a MEDIUM rating. 2.4.3

Risk Assessment Report

The output from the risk analysis and evaluation stage is the risk assessment report. This shows the following information: • • • • • • • •

Risk scenario descriptions Controls currently implemented Likelihood (including rationale) Impact (including rationale) Score Classification Risk Owner Whether the risk is accepted or needs treatment

This report is input to the risk treatment stage of the process and must be signed off by management before continuing. 2.5

Risk Treatment

For those risks that are judged to be above the threshold for acceptance by [Organization Name], the options for treatment will then be explored.

Version 1

Page 13 of 19

[Insert date]


Risk Assessment and Treatment Process

2.5.1

Risk Treatment Options

The following options may be applied to the treatment of the identified unacceptable risks: 1. Apply appropriate controls to lessen the likelihood and/or impact of the risk 2. Avoid the risk by taking action that means it no longer applies 3. Transfer the risk to another party e.g. insurer or supplier Judgement will be used in the decision as to which course of action to follow, based on a sound knowledge of the circumstances surrounding the risk e.g. • • • •

Business strategy Regulatory and legislative considerations Technical issues Commercial and contractual issues

The Risk Manager will ensure that all parties who have an interest or bearing on the treatment of the risk are consulted. 2.5.2

Risk Treatment Plan

The evaluation of the treatment options will result in the production of the risk treatment plan which will detail: • • • •

Risks above the acceptance threshold Services affected Recommended treatment option Control Requirements

This document will be input to the next stage in the process where controls will be selected to meet the identified requirements. 2.6

Selection of Controls

The intention of the application of controls is to reduce the likelihood or impact (or both) of a risk. These controls may be technical, physical or administrative. Annex A of the ISO/IEC 27001:2013 information security standard or similar best practice documentation will be used as the starting point for the identification of appropriate controls to address the information security risk treatment requirements identified as part of the risk assessment exercise. In the event that the controls set out in Annex A do not address all requirements then additional controls may be implemented.

Version 1

Page 14 of 19

[Insert date]


Risk Assessment and Treatment Process

2.7

Management Approval

At each stage of the risk assessment process management will be kept informed of progress and decisions made, including formal signoff of the proposed residual risks. Management will approve the following documents: • •

Risk Assessment Report Risk Treatment Plan

Signoff will be indicated according to [Organization Name] documentation standards. In addition to overall management approval, each treatment should be signed off by the relevant risk owner. 2.8

Risk Monitoring and Reporting

As part of the implementation of new controls and the maintenance of existing ones, key performance indicators will be identified which will allow the measurement of the success of the controls in addressing the relevant risks. These indicators will be reported on a regular basis and trend information produced so that exception situations can be identified and dealt with by management. 2.9

Regular Review

In addition to a full annual review, risk assessments will be evaluated on a regular basis to ensure that they remain current and the applied controls valid. The relevant risk assessments will also be reviewed upon major changes to the business such as office moves, mergers and acquisitions or introduction or new or changed IT services. 2.10 Roles and Responsibilities Within the process of risk assessment there are a number of key roles that play a part in ensuring that all risks are identified, addressed and managed. These roles are shown in the RACI table below, together with their relative responsibilities at each stage of the process. 2.10.1 RACI Chart

The table below clarifies the responsibilities at each step using the RACI model, i.e.:

Version 1

Page 15 of 19

[Insert date]


Risk Assessment and Treatment Process

R= Responsible

A= Accountable

C= Consulted

Role: Information Security Step Manager Identify the risks A/R Risk Acceptance Criteria C Analyse and Evaluate the risks A/R Identify and Evaluate Options A/R for Treatment Select Control Objectives and A/R Controls Obtain Management Approval A for Residual Risks Monitor and Report A/R Regular Review A/R

I= Informed

Business Operational Management Staff C A/R C C

C C C C

C

C

R

C

I C

C C

Table 1- RACI matrix

Further roles and responsibilities may be added to the above table as the risk assessment and treatment process matures within [Organization Name].

Version 1

Page 16 of 19

[Insert date]


Risk Assessment and Treatment Process

3 Conclusion The process of risk assessment and treatment is fundamental to the implementation of a successful Service Management System (SMS) and forms a significant part of the ISO/IEC 20000 standard. By following this process [Organization Name] will go some way to ensuring that the risks that it faces in the day to day operation of its business are effectively managed and controlled.

Version 1

Page 17 of 19

[Insert date]


Risk Assessment and Treatment Process

4 Appendix A – List of Typical Threats The following list may be used as a starting point for creating a relevant list of threats which may apply to the information services identified in the service catalogue. Threat Category Human

Threat

Example

Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss

Someone launches a denial of service attack on your ecommerce website An employee or trusted third party accesses information in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes the customer database A manager loses a memory stick with customer bank details on it

Natural

Fire Flood Severe weather Earthquake Lightning

Your main office burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded No-one can get into the office due to the weather The area of your main office is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building

Technical

Hardware failure Software failure Virus/Malicious code

A key server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your data

Physical

Sabotage Theft Arson

A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find all of your PCs have been stolen Someone with a grudge against your organization starts a fire during the night

Version 1

Page 18 of 19

[Insert date]


Risk Assessment and Treatment Process

Threat Category Environmental

Threat

Example

Hazardous waste Power failure Gas supply failure

A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off

Operational

Process error

Your new data transfer procedure doesn't cater for unexpected circumstances and data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police

Crime scene Table 2 - Typical threats

Version 1

Page 19 of 19

[Insert date]

Profile for CertiKit Limited

SMS-DOC-087-11 Risk Assessment and Treatment Process  

SMS-DOC-087-11 Risk Assessment and Treatment Process  

Profile for public-it