Assessment Details Completion Guidance Security Classification:
Insert Classification
Risk Assessment Title:
Short, descriptive title
Risk Assessment Scope:
Version:
Describe the scope of the risk assessment e.g. location, process, assets Describe the general environment in which the assessment is carried out and internal and external factors affecting it Set out the factors which will make a risk acceptable and therefore not require treatment Start at Version 1
Dated:
Date the assessment was carried out
Risk Assessor(s):
Approval:
Name and title of person(s) carrying out the risk assessment Names and titles of people contributing to the risk assessment Name and title of approver
Date Approved:
Date the assessment was approved
Context of Risk Assessment:
Risk Acceptance Criteria:
Risk Assessment Participants:
Please Note: Not all columns are shown
Asset
[Note: to choose a different table layout, click in the table, select the Design menu ribbon and choose a table style]
Risk Owner
(blank)
(blank)
Risk Level
Treatment ...
Calculated
Select…
Asset-Based Risk Assessment and Treatment Tool Start with your most valuable assets and the most likely threats that will cause the highest impact. Risk Description Ref.
Asset
Threat
Vulnerabilities
Pre-Treatment Risk Type
Risk Owner
Existing Controls
Likelihood
Likelihood Rationale
Impact
Impact Rationale
Risk Score
Risk Level
1
Select…
Select…
Select…
Calculated
Calculated
2
Select…
Select…
Select…
Calculated
Calculated
3
Select…
Select…
Select…
Calculated
Calculated
4
Select…
Select…
Select…
Calculated
Calculated
5
Select…
Select…
Select…
Calculated
Calculated
6
Select…
Select…
Select…
Calculated
Calculated
7
Select…
Select…
Select…
Calculated
Calculated
8
Select…
Select…
Select…
Calculated
Calculated
9
Select…
Select…
Select…
Calculated
Calculated
10
Select…
Select…
Select…
Calculated
Calculated
11
Select…
Select…
Select…
Calculated
Calculated
12
Select…
Select…
Select…
Calculated
Calculated
13
Select…
Select…
Select…
Calculated
Calculated
14
Select…
Select…
Select…
Calculated
Calculated
15
Select…
Select…
Select…
Calculated
Calculated
16
Select…
Select…
Select…
Calculated
Calculated
17
Select…
Select…
Select…
Calculated
Calculated
18
Select…
Select…
Select…
Calculated
Calculated
19
Select…
Select…
Select…
Calculated
Calculated
20
Select…
Select…
Select…
Calculated
Calculated
Please Note: Not all rows are shown
Example Assets The following is an initial list of typical assets that may be use as guidance for your risk assessment. (Note - information assets should be captured in more detail in the Information Asset Inventory) Asset Group Sub-Category Business activities
Asset Business-critical activities Supporting activities Compliance
Information
Personally identifiable information (PII) Non-PII Budgets Sales forecasts Corporate plans Corporate policies Customer records - names, addresses, contacts Customer credit card information Customer bank details e.g. Direct Debits Website information Customer preferences and purchase history Customer correspondence and complaints Employee records - address, DOB, insurance numbers Employee expense claims Payroll information, including bank details Training records Recruitment information Security clearance/check information Employee complaints/disciplinary records Sickness/occupational health records Employment contracts
Cloud customer data Corporate
Sales and Marketing
Human Resources
Please Note: Not all rows are shown
Example Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. Threat Category Human
Threat Malicious outsider Malicious insider Loss of key personnel Human error Accidental loss
Example Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses information in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes customer data A manager loses a memory stick with customer bank details on it
Natural
Fire Flood Severe weather Earthquake Lightning
Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building
Technical
Hardware failure Software failure Virus/Malicious code
A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data
Physical
Sabotage Theft Arson
A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night
Environmental
Hazardous waste Power failure Gas supply failure
A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off
Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4
Risk Likelihood
MEDIUM
3
2 LOW 1
1
2
3
Risk Impact
4
5