Instant 27001 demo environment

Risk assessment and treatment process

Owned by Maurice Pasman
Mar 18, 2022
2 min read

This page describes our risk acceptance criteria, the risk assessment process and the risk treatment process, as required by 6.1.2 Information security risk assessment and 6.1.3 Information security risk treatment.

Process

The risk assessment is repeated at least annually, or after a large change or incident has occurred. The Risk manager is responsible to organize the risk assessment. It is held together with representatives of the business processes that are in scope (Scope description).

Initial risk assessment

The values for likelihood and impact (Risk matrix) are evaluated and changed if necessary.

Then, we start with a list of common risks (Risk assessment), that are each evaluated and modified for our organization. The risk is customized to our own processes and/or assets, and the Likelihood and Impact are estimated, taking into account already existing measures. New risks are added as required. Each risk should have a risk owner, this is the person that worries the most about the threat to materialize. Usually this is a manager or a business owner.

If a certain risk is currently estimated as L, the treatment can be ACCEPT.

Do not remove the linked controls, as they are probably the reason why the risk is already acceptable. Instead, just mark them as "done".


 Click here for an example how to fill in the risk template.

Unable to render {include} The included page could not be found.

Consecutive risk assessments

The likelihood and impact of all current risks are re-estimated. Did the measures succeed in bringing the likelihood and/or impact down? If not, the risk owner should decide how to treat the residual risk (accept, mitigate, avoid or transfer).

New risks can be added based on recent incidents or current events.

 Click here for an example how to modify the risks after evaluation.

Unable to render {include} The included page could not be found.

Acceptance criteria

  • All identified risks should be mitigated to level L;
  • Risks with level M should be mitigated within 12 months;
  • Risks with level H should be mitigated within 3 months;
  • Management should be informed of all risks with level M and H.

Treatment

To mitigate an identified risk to an acceptable level, appropriate measures should be taken. Primarily, we evaluate the Annex A controls for fit. Secondarily, we can design our own measures, such as insurance or accepting the risk by management. The person responsible to implement the treatment will be indicated. 

Risk treatment plan is generated automatically, by aggregating the information used in the Page Properties of the Risk assessment.

Statement of applicability

The Statement of Applicability is generated automatically, by aggregating the information used in the Page Properties of the Annex A controls.

© Instant Management Systems | Terms and Conditions