Example Risks

For this example, we will add a risk that employees may not be following policies and procedures.

Risk Name

The name given for the individual risks.

Policies and procedures may not be followed

Status

In the context of an Information Security Management System (ISMS), the status of risks can be described as either open or managed.

• Open - An open risk is a risk that has been identified, assessed, and acknowledged, but has not been mitigated or treated. It remains a potential threat to the organisation and requires further action to reduce its likelihood or impact.

• Managed - A managed risk, on the other hand, is a risk that has been adequately mitigated or treated. The organisation has taken appropriate measures to address the risk, and it no longer poses a significant threat to the information assets.

For this example, we'll assume we have measures in place so will mark it as Managed.

Managed

Risk Owner

The risk owner is influenced by the organisations size and complexity. In most cases, the responsibility falls upon a senior executive, such as a department head.

Bilbo Baggins

Asset Affected

Select an asset from the asset list which is most effected by the risk.

Gondor servers

Risk Description

The description section offers a detailed and complete summary of the risk, providing the reader with a clear understanding of what it entails.

Employees may not have the understanding or knowledge to follow company policy and procedures, resulting in potential incidents.

C.I.A.

Which parts of the CIA triad, if any, this risk affects. CIA stands for Confidentiality, Integrity, and Availability, and is a core cybersecurity concept. You can read more about the CIA triad here.

This particular risk may result in employees not following policies and procedures relating to access and change management which could risk confidentiality and integrity of information, so we will select Confidentiality and Integrity.

Confidentiality, Integrity

Date Raised

The specific date on which the risk was noticed.

For this example, we'll just pick a date.

21/03/2023

Date Closed

The specific date on which the risk was mitigated or accepted by a member of the senior team.

Let's pretend this risk took a few days to have measures put in place for its management.

24/03/2023

Impact

The impact of a risk refers to the potential harm or damage that can be caused to an organisations information assets and systems if a threat were to exploit a vulnerability. This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

We'll assign a Moderate impact to this one.

Moderate

Probability Level

Risk probability refers to the likelihood that a security incident or breach may occur. Essentially, it represents the chances of a potential threat exploiting a vulnerability in the system, resulting in a negative impact or harm to the organisations assets or resources. This is represent on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Without training, it's likely that employees will not know the contents of policies and procedures and probably won't be following them. We'll mark this as High.

High

Risk Rating

A risk rating is a measure of the level of risk associated with a particular threat or vulnerability to the organisations information assets. It is represented on a five-level scale from Very Low to Very High that provides an indication of the probability of a risk occurring and the potential impact it could have on the organisation.

This is calculated automatically by Harpe so we don't need to worry about this one. With these inputs will be Moderate.

Moderate

Treatment Action

The treatment action is the approach that will be taken in regards to a risk. You can read more about Harpe's treatment actions here.

In this case, we will opt for Risk Reduction and implement measures to help reduce the likelihood that this risk occurs.

Risk Reduction

Treatment Plan

A risk treatment plan outlines the strategies and measures that an organisation will use to manage identified risks. It includes information on the specific controls that will be implemented to mitigate risks, as well as the responsibilities and timelines for carrying out these actions. The risk treatment plan provides an overall framework for managing risks, and is often reviewed and updated periodically to ensure that it remains effective.

The measures that we will implement to mitigate employees not following policies and procedures will be to ensure sufficient training is completed as part of their onboarding.

Employees are required to complete training as part of their onboarding.

Applicable Controls

Annex A controls refer to a set of controls defined in Annex A of the ISO/IEC 27001 standard, which is a widely recognised international standard for information security management. These controls are intended to help organisations protect their information assets by mitigating various types of risks, including those related to confidentiality, integrity, and availability.

For this example, we'll just pick out A.6.3 from the ISO27001:2022 standard.

A.6.3 Information security awareness, education and training

Residual Impact

The residual impact of a risk refers to the potential negative consequences that may still exist even after the implementation of risk management measures. This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

Since we've implemented measures to reduce the impact of this risk, we'll lower this to Very Low.

Very Low

Residual Probability Level

Residual impact probability of a risk refers to the likelihood of a risk causing harm or damage even after security measures have been implemented as part of an Information Security Management System (ISMS). This is represented on a five-level scale from Very Low to Very High.

• Very Low

• Low

• Moderate

• High

• Very High

As we've implemented sufficient measures, we'll drop the risk probability down to Very Low.

Very Low

Residual Rating

Residual rating of a risk refers to the level of risk that remains after an organisation has implemented controls to mitigate the risk. It takes into account both the probability of the risk occurring and the potential impact it could cause. This is represented on a five-level scale from Very Low to Very High.

This is calculated automatically by Harpe, and with our other inputs will result in Very Low.

Very Low

Accepted by

Accepted by is a term used in risk management to refer to the decision-making process in which an organisation acknowledges a risk and decides whether to accept it or take action to mitigate it. This decision is typically made by an individual who is more senior than the risk owner, although in smaller organisations, the same person may fulfill both roles.

The acceptance of a risk does not mean that the organisation is ignoring the risk. Rather, it indicates that the organisation has carefully considered the risk and has decided that the potential benefits outweigh the potential negative consequences, or that the cost of mitigating the risk outweighs the potential benefits.

It is important for the accepted by individual to have a thorough understanding of the organisations risk appetite, risk tolerance, and risk management policies and procedures. They must also have the authority to make decisions on behalf of the organisation and be able to balance competing priorities to ensure that the organisation is making informed and strategic decisions about its risk management approach.

Ultimately, the accepted by decision reflects the organisations risk management culture and its willingness to accept risk as a natural part of doing business. It is a crucial component of effective risk management and requires ongoing review and assessment to ensure that the organisations risk posture remains aligned with its strategic objectives.

Bilbo Baggins