Initial commit
This commit is contained in:
Paul Jenkins
83
03-procedures/risk-assessment-procedure.md
Normal file
83
03-procedures/risk-assessment-procedure.md
Normal file
@@ -0,0 +1,83 @@
|
||||
Title: Risk Assessment Procedure
|
||||
Document ID: [PROC-RISK-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Risk Assessment Procedure
|
||||
|
||||
## Purpose
|
||||
|
||||
This procedure defines how BlackDice should perform and record information security risk assessments using the approved methodology.
|
||||
|
||||
## Scope
|
||||
|
||||
This procedure applies to assessments of in-scope services, systems, projects, suppliers, changes, exceptions, incidents, and other relevant activities.
|
||||
|
||||
## Trigger / When Used
|
||||
|
||||
Use this procedure when:
|
||||
|
||||
- a new system, service, supplier, or change is introduced
|
||||
- a periodic risk review is due
|
||||
- an incident, audit finding, or exception requires assessment
|
||||
- management requests reassessment due to changed conditions
|
||||
|
||||
## Procedure Steps
|
||||
|
||||
1. Define the subject of the assessment, including scope, owner, context, and assessment objective.
|
||||
2. Identify relevant assets, threats, vulnerabilities, dependencies, and potential impacts.
|
||||
3. Assess likelihood and impact using the approved risk methodology and current business context.
|
||||
4. Determine the initial risk rating and compare it with risk acceptance criteria.
|
||||
5. Identify proposed treatment options, compensating controls, or risk acceptance needs.
|
||||
6. Assign a risk owner, review date, and action plan where treatment is required.
|
||||
7. Record the assessment outcome in the approved format or register.
|
||||
8. Escalate significant risks for approval, treatment prioritisation, or formal acceptance as required.
|
||||
|
||||
## Inputs
|
||||
|
||||
- assessment scope and context
|
||||
- asset and service information
|
||||
- risk methodology
|
||||
- supporting evidence such as architecture, incidents, audits, or supplier data
|
||||
|
||||
## Outputs / Records
|
||||
|
||||
- completed risk assessment
|
||||
- treatment actions or acceptance decision
|
||||
- risk register update
|
||||
- escalation record where applicable
|
||||
|
||||
## Roles and Responsibilities
|
||||
|
||||
- Assessors must apply the methodology consistently and document the rationale.
|
||||
- Risk owners must review and accept accountability for assigned risks.
|
||||
- [Role] must maintain oversight of process quality and risk tracking.
|
||||
|
||||
## Escalation / Exceptions
|
||||
|
||||
Escalate where:
|
||||
|
||||
- a risk exceeds normal acceptance thresholds
|
||||
- ownership is unclear
|
||||
- the treatment plan cannot be agreed
|
||||
- the risk has customer, regulatory, or major service implications
|
||||
|
||||
Exceptions to the process must be documented and approved where necessary.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Risk Assessment and Treatment Methodology
|
||||
- Exception Management Procedure
|
||||
- Corrective Action Procedure
|
||||
- Risk Register Template
|
||||
|
||||
## Version Control
|
||||
|
||||
| Version | Date | Description of Change | Author |
|
||||
| --- | --- | --- | --- |
|
||||
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|
||||
Reference in New Issue
Block a user