Reference Toolkit

13. An Information Security Risk Assessment Procedure - Example

Information Security Risk Criteria

Performing Information Security Risk Assessments

The criteria for prompting a risk assessment will be:
1. Significant changes to the business affecting information security (determined by the
Information Security Management Forum (ISMF))
2. A new contract involving bespoke information security requirements (determined by the
ISMF)
3. After an Information Incident (single or series of unwanted or unexpected information
security events as agreed by the ISMF)
4. A period not exceeding 3 years

Information Security Risk Acceptance Criteria

The criteria for information security risk acceptance is detailed below:

4 8 12 16
LIKELIHOOD

3 6 9 12
2 4 6 8
1 2 3 4
IMPACT
Any scores within the red and amber area are to be categorized as unacceptable and
prioritized as risk to be treated. Any scores outside the unacceptable area will not be
prioritized for treatment but will be assessed for risk reduction in pursuit of continual
improvement.

Identifying Information Security Risks

An inventory of asset groups will be created that reflect the information types held within
XXX.
These asset groups will be individually assessed for risk treatment as if they were singular
assets. Any assets within each group, that needs to be assessed separately from the group,
will be identified uniquely in the asset register.
Internal and external issues identified within the Context and the specific requirements of
our interested parties will be seen as asset groupings and risk assessed with opportunities
identified, and treatment options considered.

ISM02201ENGX v1.0 Oct 2013 The British Standards Institution 2013 1 of 2

 Reference Toolkit

Other risk sources, such as reported information security events or incidents, will also be
considered for risk assessment. This will be determined by the ISMF at their quarterly
meetings.

Analyzing Information Security Risks

The potential consequences and realistic likelihood are determined for each asset group,
each on a scale of 1 4 to identify a risk score.

Impact Descriptors
1. Low internal issue affecting low number of users
2. Medium internal issues affecting a single department
3. High affecting small number of customer users and/or all internal users
4. Major affecting all customers

Likelihood Descriptors
1. Unlikely to occur
2. May occur every 2 years
3. May occur at least twice a year
4. Highly likely to occur

Evaluating Information Security Risks

Based on the Risk Acceptance Criteria detailed above we have identified a score of over 12
as being the threshold for risk treatment. These Information Security Risks will then be
prioritized using a number score. The highest priority for risk treatment will be scores above
12. The next level of priority will be scores above 5. Scores below 5 will not be prioritized
for risk treatment.

ISM02201ENGX v1.0 Oct 2013 The British Standards Institution 2013 2 of 2