Professional Documents
Culture Documents
4 8 12 16
LIKELIHOOD
3 6 9 12
2 4 6 8
1 2 3 4
IMPACT
Any scores within the red and amber area are to be categorized as unacceptable and
prioritized as risk to be treated. Any scores outside the unacceptable area will not be
prioritized for treatment but will be assessed for risk reduction in pursuit of continual
improvement.
Other risk sources, such as reported information security events or incidents, will also be
considered for risk assessment. This will be determined by the ISMF at their quarterly
meetings.
Impact Descriptors
1. Low internal issue affecting low number of users
2. Medium internal issues affecting a single department
3. High affecting small number of customer users and/or all internal users
4. Major affecting all customers
Likelihood Descriptors
1. Unlikely to occur
2. May occur every 2 years
3. May occur at least twice a year
4. Highly likely to occur