psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5eade2d99bef262cef5be6d01dc0bbbc9119b82e
ISMS/03-procedures/risk-assessment-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.7 KiB
Raw Blame History

Title: Risk Assessment Procedure Document ID: [PROC-RISK-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Risk Assessment Procedure

Purpose

This procedure defines how BlackDice should perform and record information security risk assessments using the approved methodology.

Scope

This procedure applies to assessments of in-scope services, systems, projects, suppliers, changes, exceptions, incidents, and other relevant activities.

Trigger / When Used

Use this procedure when:

  • a new system, service, supplier, or change is introduced
  • a periodic risk review is due
  • an incident, audit finding, or exception requires assessment
  • management requests reassessment due to changed conditions

Procedure Steps

  1. Define the subject of the assessment, including scope, owner, context, and assessment objective.
  2. Identify relevant assets, threats, vulnerabilities, dependencies, and potential impacts.
  3. Assess likelihood and impact using the approved risk methodology and current business context.
  4. Determine the initial risk rating and compare it with risk acceptance criteria.
  5. Identify proposed treatment options, compensating controls, or risk acceptance needs.
  6. Assign a risk owner, review date, and action plan where treatment is required.
  7. Record the assessment outcome in the approved format or register.
  8. Escalate significant risks for approval, treatment prioritisation, or formal acceptance as required.

Inputs

  • assessment scope and context
  • asset and service information
  • risk methodology
  • supporting evidence such as architecture, incidents, audits, or supplier data

Outputs / Records

  • completed risk assessment
  • treatment actions or acceptance decision
  • risk register update
  • escalation record where applicable

Roles and Responsibilities

  • Assessors must apply the methodology consistently and document the rationale.
  • Risk owners must review and accept accountability for assigned risks.
  • [Role] must maintain oversight of process quality and risk tracking.

Escalation / Exceptions

Escalate where:

  • a risk exceeds normal acceptance thresholds
  • ownership is unclear
  • the treatment plan cannot be agreed
  • the risk has customer, regulatory, or major service implications

Exceptions to the process must be documented and approved where necessary.

Related Documents

  • Risk Assessment and Treatment Methodology
  • Exception Management Procedure
  • Corrective Action Procedure
  • Risk Register Template

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink