84 lines
2.7 KiB
Markdown
84 lines
2.7 KiB
Markdown
Title: Risk Assessment Procedure
|
|
Document ID: [PROC-RISK-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Risk Assessment Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should perform and record information security risk assessments using the approved methodology.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to assessments of in-scope services, systems, projects, suppliers, changes, exceptions, incidents, and other relevant activities.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure when:
|
|
|
|
- a new system, service, supplier, or change is introduced
|
|
- a periodic risk review is due
|
|
- an incident, audit finding, or exception requires assessment
|
|
- management requests reassessment due to changed conditions
|
|
|
|
## Procedure Steps
|
|
|
|
1. Define the subject of the assessment, including scope, owner, context, and assessment objective.
|
|
2. Identify relevant assets, threats, vulnerabilities, dependencies, and potential impacts.
|
|
3. Assess likelihood and impact using the approved risk methodology and current business context.
|
|
4. Determine the initial risk rating and compare it with risk acceptance criteria.
|
|
5. Identify proposed treatment options, compensating controls, or risk acceptance needs.
|
|
6. Assign a risk owner, review date, and action plan where treatment is required.
|
|
7. Record the assessment outcome in the approved format or register.
|
|
8. Escalate significant risks for approval, treatment prioritisation, or formal acceptance as required.
|
|
|
|
## Inputs
|
|
|
|
- assessment scope and context
|
|
- asset and service information
|
|
- risk methodology
|
|
- supporting evidence such as architecture, incidents, audits, or supplier data
|
|
|
|
## Outputs / Records
|
|
|
|
- completed risk assessment
|
|
- treatment actions or acceptance decision
|
|
- risk register update
|
|
- escalation record where applicable
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- Assessors must apply the methodology consistently and document the rationale.
|
|
- Risk owners must review and accept accountability for assigned risks.
|
|
- [Role] must maintain oversight of process quality and risk tracking.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- a risk exceeds normal acceptance thresholds
|
|
- ownership is unclear
|
|
- the treatment plan cannot be agreed
|
|
- the risk has customer, regulatory, or major service implications
|
|
|
|
Exceptions to the process must be documented and approved where necessary.
|
|
|
|
## Related Documents
|
|
|
|
- Risk Assessment and Treatment Methodology
|
|
- Exception Management Procedure
|
|
- Corrective Action Procedure
|
|
- Risk Register Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|