Risk Assessment & Statement of Applicability Register
In professional terminology, Risk Managed is a much broader concept than Risk Controlled. Think of it this way: * Risk Management is the entire, strategic process. It is the umbrella that includes: * Identifying risks. * Assessing/Analyzing them (likelihood and impact). * Treating them (which includes controlling). * Monitoring and Reviewing them continually. * Risk Control (or Risk Treatment/Mitigation) is just one stage within the Risk Management process. It refers to the specific actions or safeguards (controls) put in place to reduce the likelihood or impact of an identified risk. A key difference is that a risk can be managed by deciding to accept it (because the cost of control is too high), or by transferring it (like buying insurance)βneither of which is strictly "controlling" the risk.Version 1.0
Probability β (1=Very Low, 5=Very High)
Impact β (1=Very Low, 5=Very High)
Low Risk (1-6)
Acceptable - Monitor
Medium Risk (8-10)
Requires Management Attention
High Risk (12-16)
Immediate Action Required
Critical Risk (20-25)
Unacceptable - Urgent Action
| Risk ID | Asset | Threat | Vulnerability | Impact | Probability | Risk Level | Actions |
|---|---|---|---|---|---|---|---|
| R001 | Customer Database | Unauthorized Access | Weak Authentication | 5 | 3 | 15 - High | |
| R002 | Email System | Malware/Phishing | Insufficient Email Security | 4 | 3 | 12 - High |
Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Information security roles and responsibilities should be defined and allocated according to the organization needs.
Conflicting duties and conflicting areas of responsibility should be segregated.
Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
The contractual agreements with personnel and contractors should state their and the organization's responsibilities for information security.
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.
Physical security perimeters for areas that contain information and other associated assets should be defined and used.
Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Information stored on, processed by or accessible via user endpoint devices should be protected.
The allocation and use of privileged access rights should be restricted and managed.
Access to information and application system functions should be restricted in accordance with the access control policy.
| Risk ID | Treatment Option | Control(s) | Owner | Target Date | Status | Actions |
|---|---|---|---|---|---|---|
| R001 | Mitigate | A.8.2, A.8.3 | IT Security Manager | 2024-03-31 | In Progress | |
| R002 | Mitigate | A.8.1, A.6.3 | IT Administrator | 2024-02-28 | Completed |