Risk Management

Doc A2

Version: 1.0

Publication Date: January 01, 2019

Current Status: Published
Author(s): Michael Woolard
Last Reviewed: Michael Woolard
Table of Contents
1 INTRODUCTION.............................................................................................................................3
1.1 SCOPE.........................................................................................................................................3
1.2 RESPONSIBILITIES.......................................................................................................................3
2 RISK FRAMEWORK.....................................................................................................................3
2.1 IMPACT AND LIKELIHOOD SCALES.............................................................................................3
2.2 RISK ACCEPTANCE CRITERIA.....................................................................................................4
2.3 ASSETS.......................................................................................................................................5
3 SUPPLIER RISK ASSESSMENTS...............................................................................................5

4 SELECTING CONTROLS FOR STATEMENT OF APPLICABILITY (SOA)......................5

5 DOCUMENT CONTROL AND APPROVAL..............................................................................5

6 DOCUMENT CONTROL AND APPROVAL..............................................................................6

6.1 DISTRIBUTION.............................................................................................................................6
6.2 Version Information...................................................................................................................6
1 Introduction
1.1 Scope
Wacky Widget’s risk management framework applies to all risks identified as part of the
strategic business planning process and is intended to enable the organization to pursue and
achieve the information security objectives set out in its Information Security Policy.

1.2 Responsibilities
The Chief Information Security Officer is responsible for ensuring that the organization’s risk
management framework meets the requirements of Wacky Widget’s leadership and of
interested parties which includes identifying legislative, regulatory and client requirements.

Staff and Managers are responsible for carrying out risk assessments as necessary.

2 Risk Framework
The organization evaluates strategic and operational risks on an ongoing, 'as necessary'
basis. This approach recognizes the rapid evolution and fast changing nature of the business.

An initial Asset-based Risk Assessment was carried out, on initiation of the Information
Security project, in relation to key assets within the scope of the Information Security
Management System as defined.

Thereafter, risk assessments are carried out whenever there is a change to any of the Assets
(e.g. addition or removal of assets), to the scope of the Information Security Management
System or to the risk environment. 

The Asset-based Risk Assessment is updated at least annually.

Procedures for risk assessments are established and documented here:

2.1 Impact and Likelihood Scales

Risks are assessed on the basis that each risk is given an impact value based on the
estimated total possible cost of loss that might be experienced if security were breached due
to the risk.  For an asset-based risk assessment the value will consider the Asset’s
confidentiality, integrity, and availability in its business context including legal/regulatory and
contractual contexts. 

This valuation will be carried out using an Impact Valuation Scale that has 3 levels where:
 is below $50k
 is between $50k and $250k
 is above $250k

Alternatively impact may be based on industry reputation where:

 low (1) is an internal matter
 medium (2) is recoverable reputational loss (certain industry segments only)
 high (3) is unrecoverable industry wide reputational loss

or regulatory considerations where:

 low (1) is a minor issue or concern
 medium (2) is where flags raised, or significant customer or internal concerns
voiced concerning adherence to required regulation and legislation
  high (3) is a breach of regulation or legislation around core competencies, or
operating model

The likelihood of the impact occurring will be estimated using a 3 Likelihood Level scale
where:
 low (1) is unlikely to happen per year
 medium (2) 1 to 5 occurrences per year
 high (3) is more than 5 occurrences per year

Risk level will be estimated using a multi-level scale that takes account both of extent of
impact and frequency of occurrence.  The risk levels are defined as:
 1 being very low
 2 low
 3 medium
 4 high
 5 very high

The risk level is calculated from the algorithm Risk = Likelihood + Impact - 1

2.2 Risk Acceptance Criteria

The Impact and Likelihood scales and Risk Acceptance Criteria are detailed in Diagram 1
below.

Diagram 1 Risk Acceptance Criteria

See 2.1 for likelihood and impact scale definition.

Acceptable levels of risk are defined as those that are the same as, or below, the approved
acceptable risk level as agreed by the Senior Management Team. Acceptable Risk (green) is
defined as any risk that falls within level 1 (very low) in the risk matrix shown above. This is
calculated by reference to the scales selected by management and will be reviewed yearly. 

This will help the organization maintain confidentiality, integrity and availability of all the
physical and electronic information assets throughout the organization in order to comply with
its Information Security Management System (ISMS) Policy.

After completion of the risk assessment for any Asset, the levels of identified risk are reviewed
and compared to the risk acceptance criteria.  All risks that are at or below the acceptable
level (green) are automatically accepted.  Risks that are at a level higher (amber or red) may
be transferred to a third party such that the residual risk is at or below the accepted level or
must be reduced by implementation of appropriate controls selected from Annex A of ISO/IEC
27001:2013 to a level consistent with the risk acceptance criteria.  Where necessary,
additional controls will be selected and implemented to reduce the residual risk level to or
below the acceptable level.
Wherever residual risk remains for any reason above the acceptable risk threshold, any
decision to tolerate such a risk must be taken by the appropriate senior management.  If the
risk is high (red) Director approval must be provided for that level of exposure. 

At their discretion, senior management may elect to treat risks that fall within the acceptable
criteria where improved control is felt necessary.
The impact factor can be derived from the Asset valuation in different ways, though care
should be taken to ensure that this is done consistently within the organization.

2.3 Assets
Assets are maintained in an inventory as per DOC A8.1 Asset Management. 

All assets must have an owner who is responsible for ensuring that an appropriate risk
assessment is carried out, and for approving the risk treatment plan and accepting any
residual risk.  Owners are selected by top-level management based on the organization
structure of the company to reflect existing responsibilities.  Some assets may have multiple
owners.

3 Supplier Risk Assessments

Further guidance regarding risk assessment for suppliers can be found in DOC A15 Supplier
Relationships.

Where a risks assessment needs to be carried out on a variety of suppliers with similar risks
they may be grouped, and the risk assessment carried out once across each grouping or
category of suppliers.

4 Selecting Controls for Statement of Applicability (SOA)

Controls for the Statement of Applicability (SOA) are selected based on the risk assessment. 

During the initial project, the initial Asset-based Risk Assessment was completed twice. 

Firstly, from the perspective of having no existing controls to select controls for the Statement
of Applicability (SoA).  Risks were identified, and the subsequent risk treatment summarized
by the Information Security Manager with all the selected control objectives and controls
being formed into the SoA.  The SoA was drawn up together with justification for
accepting/rejecting each ISO27001 control.

A second assessment was carried out based on the current operating level of controls to
produce an initial risk treatment plan.
5 Document Control and Approval
The Chief Information Security Officer is the owner of this document and is responsible for
ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

A current version of this document is available to all members of staff and is the published
version.

This document is not yet approved and is issued on a version-controlled basis.

6 Document Control and Approval

The Chief Information Security Officer is the owner of this document and is responsible for
ensuring that this procedure is reviewed in line with the review requirements of the ISMS.

A current version of this document is available to all members of staff and is the published
version.

This document was approved by Executive Manager Title and is issued on a version
controlled basis.

Signature: Executive Manager Signature Date: 01.01.2019

6.1 Distribution
Name Role
Intranet Distribution to all staff

6.2 Version Information

Version Date Author(s) Details
0.1 11/28/18 M.Woolard First draft
0.2 12/07/18 M.Woolard Second draft
1.0 01/01/19 M.Woolard First published