Risk Management Process

(In compliance with ISO 27001: 2013 and ISO 31000: 2018)
Activity No. Requirements Flow chart Approach

A Planning phase Planning

Adopt PDCA methodology
A1 Scope, context and criteria finalisation Finalise Scope, Context and Criteria To ensure adequacy initially finalise scope, context and criteria

A2 Define how to identify the risks that could cause the Identify risks based on assets, threats,and vulnerabilities,based on SOC processes, based on
loss of confidentiality, integrity,and/or availability of Plan how to identify risks functions/ departments, using only threats and not vulnerabilities, or any other approved
your information. methodology.

A3 Define how to identify the risk owners. Choose a person who is both interested in resolving a risk and positioned highly enough in
Plan how to identify Risk Owner(s) the organization to do something about it.

A4 Define criteria for assessing consequences and assessing Assess separately the consequences and likelihood for each of your risks, but you are
Set criteria for assessing consequences and
the likelihood of the risk. completely free to use whichever scales you like.
assessing the likelihood of the risk.

A5 Define how the risk will be calculated This is usually done through addition (e.g., 2 + 5 = 7) or through multiplication (e.g., 2 x 5 =
10) of liklihood and impact. If you use a scaleofLow-Medium-High, this would bethe same
Set risk calculation methodology as using a scaleof1-2-3, so you still have numbers for calculation.

A6 Define the criteria for accepting risks. In the quantitative method of risk calculation if it produces values from 2 to 10, then you
Set and establish the criteria for can decide that an acceptable level of risk is, e.g., 7 –this would mean that only the risks
accepting risks. valued at 8, 9,and 10 would need treatment. Alternatively if qualitative method is adopted,
you can examine each individual risk and decide which should be treated or not based on
your own insight and experience, using no pre-defined values.

A7 Establish the criteria for information security risk Set and establish the criteria for performing Set a baseline information security criteria such as infromation security breaches, incident
information security risk assesments
assesments management, etc.

A8 Define risk tratment and escalation criteria Set criteria for risk treatment and Define when to escalate and to whom to escalate
escallation

B Risk assessment Phase Risk Assesment

B1 Risk Identification Provide adequate training to the staff regarding the information security risks and the
Identification/ Reporting of Risk
method of identification and reporting.

B1 Inform risk owners Information to risk owners Report or inform to risk owners with immediate effect

B3 Risk assessment Risk assesment All the risks reported shall be subjected for initial analysis by assesing its liklihood and
Match: Assets, Threats and Vulnerabilities impact as planned
Asses: Liklihood and Impact
B4
B5 Accepting / Un accepting risk Acceptance / un acceptance of risk
Risk accepted?
B6 Register and record risk Register and Record risk for further evaluation
B7 Communication Record Communicate to all the interested parties to avoid/ minimice the impact of the risks
identified.
Communication to interested parties
B8 Detailed risk evaluation Detailed evaluation of risk by assessing liklihood and impact of identified risk on all the
Risk evaluation assets associated, threats and vulnerabilities

C Risk Treatment Escalation based on risk

Risk Mitigation / Treatment
C1 Decrease the risk –this option is the most common, and it includes implementation of safeguards (controls)
–like fire-suppression systems, etc.For that purpose,the controls from ISO 27001 Annex A
Decrease risk, are used (and any other controls that a company thinks are appropriate).
possible?

C2 Avoiding the risk Avoid the risk–stop performing certain tasks or processes if they incur such risks that are
simply too big to mitigate with any other options –e.g., you can decide to ban the usage of
laptops outside of the company premises if the risk of unauthorized access to thoselaptops
Avoiding the risk,
possible? is too high (because, e.g., such hacks could halt the complete IT infrastructure you are
using).
Communicate to
interested parties

C3 Share the risk –this means you transfer the risk to another party –e.g., you buy an insurance policy for
your building against fire, thereby transferringpart of your financial risk to an insurance
Share the risk , company. Unfortunately, this option does not have any influence on the incident itself, so
possible? the best strategy is to use this option together with the above two options.

Identify measures and

assign partners
C4 Retain the risk –this is the least desirable option, and it means organization accepts the risk without doing
Retain the risk anything about it. This option should be used only if the mitigation cost would be higher
than the damage an incident would incur.

C5
C6 Implemntationof risk treatment plan Preparing and implement risk Implement adequate measures to reduce either liklihood or impact or both.
treatment plans

D Monitor and review risk treatment Monitor and review the risk tratement Carryout as planned
activities and its performance

E1 Recording and reporting Record, analyse and report the risk related data including; Avoided risks, Transferred Risk,
Recording, analysing and reporting risk Decreased Risks, Shared risk and retained risk to facilitate consulatation for furhter
related data improvement

E2 Review of risk data and risk treatment Review of risk data and risk treatment Review of the data shall be carried out by topmanagement or experts appointed to ensure
activities for its sutability and adequacy effectiveness of the processes

F Integration with other processes
Intergrate risk management with business
processes and ensure continual imrovement
Integrate risk management system with other business process and management system,
this will enhance continual improvement of risk management system and effectivenss of
business processes

Spice Solutions - ISMS Consultant Sample Process for Risk Management