<Short Name> Information Security Procedure

Control of Risks and Opportunities

1 Introduction
2 Scope
This procedure sets out <Short Name>’s arrangements for identifying, assessing and
treating information security risks.

3 Revision History
Revision Date Record of Changes Approved By
0.0 [Date of Issue] Initial Issue

4 Control of hardcopy versions

The digital version of this document is the most recent version. It is the responsibility of the
individual to ensure that any printed version is the most recent version. The printed version
of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
the <Document Controller> and provided with a document reference number and revision in
the fields below:
Document Ref. Rev. Uncontrolled Copy X Controlled Copy

5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls

6 Terms and Definitions

 “staff” and “users” means all of those who work under our control, including
employees, contractors, interns etc.

 “we” and “our” refer to <Short Name>

7 Responsibilities
The <ISMS Manager> is responsible for all aspects of the implementation and management
of this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of this policy, within the
scope of their responsibilities, and must ensure that all staff under their control understand
and undertake their responsibilities accordingly.

Control of Risks and Opportunities Page 1 of 6

 <Short Name> Information Security Procedure

8 Information security risk assessment

9 General
An information security risk review of our entire organisation is undertaken, taking account of
the established criteria, at periods not exceeding 12 months, or when significant changes are
proposed or occur.
The review is undertaken under the direction of the <ISMS Manager>, and draws on both
internal, and where required, external, expertise.
Our information security risk assessment process seeks to:

 establish and maintain information security risk criteria that include:

- the risk acceptance criteria

- criteria for performing information security risk assessments

 ensure that repeated information security risk assessments produce consistent, valid
and comparable results

 identify the information security risks which may lead to a potential loss of
confidentiality, integrity or availability of information

 identify the risk owners

 analyse the information security risks to :

- assess the potential consequences that would result if the identified risks were to
materialise
- assess the realistic likelihood of the occurrence of the identified risks

- determine the levels of risk

 evaluate the information security risks to:

- compare the results of risk analysis with the established risk criteria

- prioritise the analysed risks for risk treatment

The <ISMS Manager> maintains records of the information security risk assessment process
and its outcomes.

10 Risk Identification
To identify potential information security risks we:

 identify the information assets and the owners of these assets

 identify the risks that might lead to a loss of confidentiality, integrity or availability of
information

 identify the risk owners

 identify the vulnerabilities that might lead to the risks being realised

Control of Risks and Opportunities Page 2 of 6

 <Short Name> Information Security Procedure

 identify the assets that are impacted by the risk by way of loss of confidentiality,
integrity or availability
The <ISMS Manager> ensures that the findings of the identification process are recorded on
the ISMS Risk Register.

11 Risk criteria definition

The following factors are considered when defining risk criteria:

 the nature and types of the causes and consequences that can occur and how they
will be measured

 how likelihood will be defined

 the timeframe(s) of the likelihood and/or consequence(s)

 how the level of risk is to be determined

 the views of stakeholders

 the level at which risk becomes acceptable or tolerable

 whether combinations of risks should be taken into account and, if so, how and which
combinations should be considered
These factors are bought together in the comparison of a Risk Index score with a risk
treatment threshold, see 3.3 below.

12 Risk Assessment
13 General
We have adopted a straightforward risk assessment methodology that we consider to be
well suited to both this information security management system and the identified business
and regulatory information security requirements.
We have developed our criteria for accepting risks and identifying the acceptable levels of
risk and expect our adopted methodology will comparable and reproducible results.

14 Analysis and evaluation of the risks

To analyse and evaluate the risks we:

 assess the severity of the impacts that might result from security failures, taking into
account the consequences of loss of confidentiality, integrity or availability of the
assets

 assess the realistic probability of security failures occurring in the light of prevailing
threats and vulnerabilities, the impacts associated with these assets, and the controls
currently implemented

 assess the controllability of the impact

 take into account the overriding nature of regulatory issues

 estimate the levels of risk expressed as a numerical Risk Index

Control of Risks and Opportunities Page 3 of 6

 <Short Name> Information Security Procedure

 using our criteria for accepting risks, determine whether the risks are acceptable or
require treatment

 prioritise the analysed risks for risk treatment

We calculate the Risk Index as below:
Risk Index (RI) = Severity Score x Probability Score x Controllability Score
Scoring Guidelines
Score Severity Probability Controllability
1 Minor Very unlikely Essentially avoidable through mitigation actions
2 Moderate Somewhat likely Highly controllable through actions
3 Significant 50/50 Chance Moderately controllable through actions
4 Very Highly likely Largely uncontrollable
significant
5 Disastrous Almost certain Uncontrollable

15 Our criteria for accepting risks

An identified risk is considered to be to be acceptable / tolerable where the Risk Index is less
than 9 and there is no legal requirement.
Where the Risk Index is greater than 8, or there is a legal requirement, the identified risk is
to be reduced through risk treatment.
The <ISMS Manager> may re-categorise an identified risk, from no treatment to treatment,
based on additional significant criteria, such as reputational damage or overriding
stakeholder concern.
The <ISMS Manager> ensures that the records of evaluation are recorded on the ISMS Risk
Assessment Worksheet and prioritises the analysed risks on the basis of Risk Index for risk
treatment.
The trigger level of 9 is clearly a matter of judgement. You may have good reason to adjust
the above trigger level, but whatever trigger you use should be consistently applied across
all information security aspects. You may also wish to add further ‘triggers’ for risk treatment,
such as any one of the four factors being >=5 leading to risk treatment.
However much ‘science’ the final classification will always require sound judgement, so
employ a broad and knowledgeable team to decide on impact classifications and the need
for risk treatment.

16 Risk Treatment
17 General
Based on the steps involved in risk treatment as set out below, the <ISMS Manager>
consults with the risk owner and the owner of the information assets, as well as with those
with expert knowledge if necessary, to agree appropriate methods to eliminate or lower the
risk to an acceptable level.
Based on the outcome of this consultation, the <ISMS Manager> ensures that an ISMS Risk
Treatment Plan is prepared, that the ISMS Risk Register, ISMS Risk Worksheet are
maintained and that the ISMS Risk Treatment Plan is executed according to its priority.

Control of Risks and Opportunities Page 4 of 6

 <Short Name> Information Security Procedure

18 Steps involved in risk treatment

18.1.1 Select appropriate risk treatment options
We select appropriate information security risk treatment options, taking account of the risk
assessment results, including any of the following:

 applying appropriate controls

 knowingly and objectively accepting risks, if they clearly satisfy our policies and the
criteria for accepting risks

 avoiding risks

 transferring the associated business risks to other parties, e.g. insurers, suppliers

18.1.2 Determine the necessary controls

We determine all of the controls and control objectives that are necessary to implement the
chosen risk treatment.
We may design the controls as required, or identify them from any source.

18.1.3 Compare the controls with those in Annex A of ISO/IEC27001:2013

Using our Information Security Control Checklist, we compare the controls selected with
those in Annex A of ISO 27001:2013 to verify that no necessary controls have been omitted.
We recognise that the control objectives and controls listed in this checklist are not
exhaustive and that additional control objectives and controls may also be required.

19 Statement of Applicability
The <ISMS Manager> ensures that an ISMS Statement of Applicability is prepared and
maintained for the entire scope of our information security management system. The ISMS
Statement of Applicability provides a summary of decisions concerning risk treatment,
justifies exclusions and provides a cross-check that no controls have been inadvertently
omitted.
The Statement of Applicability includes:

 the control objectives and controls selected, and the reasons for their selection

 the control objectives and controls currently implemented,

 the exclusion of any control objectives and controls in Annex A of ISO27001:2013

and the justification for their exclusion

 any specific control objectives and controls which we have adopted and which are
not covered by Annex A of ISO27001:2013, the reason(s) for their adoption, and the
status of implementation

20 Risk Treatment Plan

Based on the above, the <ISMS Manager> ensures that an ISMS Risk Treatment Plan is
prepared and maintained. The risk treatment plan identifies the appropriate management
action, resources, responsibilities and priorities for managing information security risks.

Control of Risks and Opportunities Page 5 of 6

 <Short Name> Information Security Procedure
Where there is residual risk after risk treatment, those residual risks are also identified and
recorded in the ISMS Risk Treatment Plan.

21 Approval
The <ISMS Manager> is required to obtain formal approval from the risk owners and
<Senior Management Team> for the ISMS Risk Treatment Plan, including the proposed
residual risks.

22 Implementation
The <ISMS Manager> ensures the implementation of the ISMS Risk Treatment Plan and
reports on its status at information security management meetings.

23 Records
Records retained in support of this procedure are listed in the Controlled ISMS Records
Register and controlled according to the Control of Management System Records
Procedure.

Control of Risks and Opportunities Page 6 of 6