Risk Assessment Plan
Ported from policies/Core 12 Security Policy - Risk Assessment Plan.md in the legacy ISMS backup. Use this as the current maintained Markdown version and track operational records in core12-isms-management.
Purpose
The purpose of this plan is to define a structured and repeatable risk assessment approach that ensures the identification, analysis, and mitigation of information security risks.
Scope
Applies to all IT systems, personnel, and business units responsible for service delivery, client work, and internal operations. Includes cloud services, workstations, web applications, marketing platforms, and file storage.
Objectives
- Identify potential threats and vulnerabilities.
- Assess the impact and likelihood of risks.
- Implement appropriate risk treatment measures.
- Ensure continual improvement of the risk management process.
Response Teams and Roles
- ISO: Oversees the risk assessment process.
- Asset Owners: Support the identification and evaluation of risks.
- Management: Approves risk treatment plans and allocates resources.
Frequency
Risk assessments are conducted:
- Annually
- When introducing new systems, services, or projects
- After major security incidents or changes
Risk Acceptance Criteria
Risks are evaluated based on a 5x5 risk matrix. Risks rated medium or above must be documented and tracked in the Risk Register. Low risks may be accepted with justification.
Risk Matrix (5x5)
| Impact ↓ / Likelihood → | 1 (Rare) | 2 (Unlikely) | 3 (Possible) | 4 (Likely) | 5 (Almost Certain) |
|---|---|---|---|---|---|
| 5 (Critical) | 5 | 10 | 15 | 20 | 25 |
| 4 (Major) | 4 | 8 | 12 | 16 | 20 |
| 3 (Moderate) | 3 | 6 | 9 | 12 | 15 |
| 2 (Minor) | 2 | 4 | 6 | 8 | 10 |
| 1 (Insignificant) | 1 | 2 | 3 | 4 | 5 |
Risk Level Interpretation
| Risk Score | Risk Level | Action |
|---|---|---|
| 1-4 | Low | Acceptable; monitor periodically |
| 5-9 | Moderate | Mitigate if cost-effective |
| 10-14 | Medium | Implement treatment plan |
| 15-19 | High | Immediate treatment required |
| 20-25 | Critical | Escalate, urgent mitigation |
Risk Acceptance Process
1. Identify Assets
List all information assets including managed devices, IT Services, and Projects. Each asset needs to have a Risk Assessment completed quarterly.
2. Identify Threats and Vulnerabilities
Use internal knowledge, threat intelligence, and incident logs. Include human, technical, and environmental threats.
3. Assess Risk
Determine likelihood (1-5) and impact (1-5). Calculate risk level: Likelihood x Impact.
4. Evaluate Risk
Use the risk matrix to categorize risks (Low, Medium, High, Critical).
5. Treat Risk
Choose one of the following: Avoid, Mitigate, Transfer, Accept. Define specific actions, responsible persons, and timelines.
6. Document and Approve
Record in Risk Register.
-
Asset - The information asset, system, or process at risk
-
Owner - Who is in charge of managing the risk
-
Status - Open, Closed, Monitoring, Accepted.
-
Threat - What could go wrong (e.g., data breach, insider threat, malware)
-
Vulnerability - Weakness exploited by the threat (e.g., unpatched software, human error)
-
Likelihood - Probability of the risk occurring
-
Impact - Consequences if the risk materializes (e.g., data loss, downtime, reputational)
-
Risk Level - Often calculated as: Impact × Likelihood
-
Existing Controls - What's currently in place to mitigate the risk
-
Residual Risk - The risk that remains after applying controls
-
Treatment Plan - Mitigation measures to further reduce risk
7. Monitor and Review
Track treatment progress. Update status and reassess periodically.
8. Continuous Improvement
Integrate lessons learned and audit results.