Adding a Risk

Clicking the Add Risk button brings up the Add Risk form.

Risk Name

The name given for the individual Risks

Status

In the context of an Information Security Management System (ISMS), the status of risks can be described as either open or managed.

• Open - An open risk is a risk that has been identified, assessed, and acknowledged, but has not been mitigated or treated. It remains a potential threat to the organisation and requires further action to reduce its likelihood or impact.

• Managed - A managed risk, on the other hand, is a risk that has been adequately mitigated or treated. The organisation has taken appropriate measures to address the risk, and it no longer poses a significant threat to the information assets.

Risk Owner

The risk owner is influenced by the organisations size and complexity. In most cases, the responsibility falls upon a senior executive, such as a department head.

Asset Affected

Select an asset from the asset list which is most effected by the risk.

Risk Description

The description section offers a detailed and complete summary of the risk, providing the reader with a clear understanding of what it entails

C.I.A.

Which parts of the CIA triad, if any, this risk affects. CIA stands for Confidentiality, Integrity, and Availability, and is a core cybersecurity concept.

• Confidentiality

Confidentiality means to protect sensitive information from unauthorised access by utilising measures such as encryption and access control. If a risk affects confidentiality, it means that data may be accessed by someone who shouldn't have access. This could be, for example, an employee who has more permissions than necessary for their job who can access information they shouldn't be able to, or a threat actor gaining access to your systems and data.

• Integrity

Integrity means to maintain the accuracy and reliability of information using measures such as version control and backups. A risk to integrity could be a user who accidentally alters data or inputs incorrect data.

• Availability

Availability is the accessibility of information. This means to ensure that information can be accessed by authorised users when it is required. Employing measures such as disaster recovery planning to ensure critical systems can be recovered and kept online at a high uptime can help maintain this concept. A risk to availability could be that a critical service, such as Google Workspace, has downtime which halts your oragnisation's operations.

Date Raised

The specific date on which the risk was noticed.

Date Closed

The specific date on which the risk was mitigated or accepted by a member of the senior team.

Impact

The impact of a risk refers to the potential harm or damage that can be caused to an organisations information assets and systems if a threat were to exploit a vulnerability. This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Probability level

Risk probability refers to the likelihood that a security incident or breach may occur. Essentially, it represents the chances of a potential threat exploiting a vulnerability in the system, resulting in a negative impact or harm to the organisations assets or resources. This is represent on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Risk Rating

A risk rating is a measure of the level of risk associated with a particular threat or vulnerability to the organisations information assets. It is represented on a five-level scale from Very Low to Very High that provides an indication of the probability of a risk occurring and the potential impact it could have on the organisation.

Treatment Action

The treatment action is the approach that will be taken in regards to a risk. This falls under the following categories:

• Risk Reduction

Risk reduction involves implementing measures to reduce the likelihood or impact of a risk. For example, training staff to spot phishing emails reduces the risk that a member of staff falls for a phishing email.

• Risk Avoidance

Risk avoidance involves removing any potential root cause of the risk, thus avoiding the risk entirely. For example, choosing not to use a cloud service that does not provide MFA.

• Risk Transference

A transferred risk is a risk that has been identified to require mitigation or remediation, but implementing the treatment lies outside of the organisation's estate. Therefore, responsibility and ability to apply mitigating controls or a remediation lies with whomever the risk is transferred to.

• Risk Acceptance

An accepted risk is a risk that has been identified which no mitigation, remediation, or transference can or will be applied to. The organisation thus accepts the possibility that the risk may come to fruition.

Treatment Plan

A risk treatment plan outlines the strategies and measures that an organisation will use to manage identified risks. It includes information on the specific controls that will be implemented to mitigate risks, as well as the responsibilities and timelines for carrying out these actions. The risk treatment plan provides an overall framework for managing risks, and is often reviewed and updated periodically to ensure that it remains effective.

Applicable Controls

Select any Annex A controls which are affected by the risk.

Annex A controls refer to a set of controls defined in Annex A of the ISO/IEC 27001 standard, which is a widely recognised international standard for information security management. These controls are intended to help organisations protect their information assets by mitigating various types of risks, including those related to confidentiality, integrity, and availability.

Residual Impact

The residual impact of a risk refers to the potential negative consequences that may still exist even after the implementation of risk management measures. This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Residual Probability Level

Residual impact probability of a risk refers to the likelihood of a risk causing harm or damage even after security measures have been implemented as part of an Information Security Management System (ISMS). This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Residual Rating

Residual rating of a risk refers to the level of risk that remains after an organisation has implemented controls to mitigate the risk. It takes into account both the probability of the risk occurring and the potential impact it could cause. This is represented on a five-level scale from Very Low to Very High.

Accepted by

Accepted by is a term used in risk management to refer to the decision-making process in which an organisation acknowledges a risk and decides whether to accept it or take action to mitigate it. This decision is typically made by an individual who is more senior than the risk owner, although in smaller organisations, the same person may fulfill both roles.

The acceptance of a risk does not mean that the organisation is ignoring the risk. Rather, it indicates that the organisation has carefully considered the risk and has decided that the potential benefits outweigh the potential negative consequences, or that the cost of mitigating the risk outweighs the potential benefits.

It is important for the accepted by individual to have a thorough understanding of the organisations risk appetite, risk tolerance, and risk management policies and procedures. They must also have the authority to make decisions on behalf of the organisation and be able to balance competing priorities to ensure that the organisation is making informed and strategic decisions about its risk management approach.

Ultimately, the accepted by decision reflects the organisations risk management culture and its willingness to accept risk as a natural part of doing business. It is a crucial component of effective risk management and requires ongoing review and assessment to ensure that the organisations risk posture remains aligned with its strategic objectives.