Professional Documents
Culture Documents
Risk Management Approach For ISO27001
Risk Management Approach For ISO27001
Risk matrix
In order to allocate risks and understand the criticality, a 5x5 matrix is used with Likelihood of risks
and the impacts of risks representing the X and Y Axis. The grid score represents the risk criticality.
Level of Consequence/Impact
Level of 1 (Insignificant) 2 (Minor) 3 (Moderate) 4 (Major) 5
Probability (Catastrophic)
A (Almost Medium High Very High Critical Critical
Certain)
B (Probable) Medium Medium High Very High Critical
C (Possible) Low Medium High High Very High
D Very Low Low Medium Medium High
(Improbable)
E (Rare) Very Low Very Low Low Medium Medium
The steps that follow have an example to assist in understanding the process.
The following are the key steps in conducting this risk assessment approach and recorded in the risk
register:
Business Introduction
At the start of the assessment session, the business leader should describe the business functions,
operations, types of data and their value. Due to Mazars handling large amounts of client data,
Group IT Page | 1
including commercially sensitive information – understanding this is key to ensuring that risk can
correctly be allocated.
Scenario Generation
Once an understanding of the business is achieved, the team works together to consider what
events could happen that would have an impact on the confidentiality, availability or impact of the
business systems/data. These events can then be assessed.
Example: An event example would be “A system admin falls prey to a phishing attack, installing
Malware onto corporate IT systems.”
Example: In the above example of phishing. They will consider the knowledge and phishing
awareness of staff and any other controls currently in place to mitigate this. Say your IT admin has
poor security awareness and has fallen for phishing in the past. It could be assessed as “Probable”
that this event will come to pass again given the prevalence of this attack vector.
Example: In this example, an Admin user would have 100% access to all business data, allowing an
attacker with access to either exfiltrate data, or encrypt all business systems. As there are few
controls in place to mitigate this impact, it would be assessed as Catastrophic for the business. This is
due to data loss having a reputational, regulatory and operational impact on the business.
Example: A likelihood of “Probable” and an impact of “Catastrophic” on the table would denote a
Critical risk.
Example: Provide security awareness training, add email filtering, segregation of Admin/user
account and segregate network logically. As ideas of possible remediations. Noting that some of
these are administrative controls (affecting behavior with policy) and some are technical controls.
Reassess risk
Conduct the same assessment but with these controls theoretically in place. Does this reduce the
risk to a level where the cost, likelihood and risk impact are acceptable?
Group IT Page | 2
Example: In this instance, having the email filtering and education in place it would reduce the
likelihood to possible. Having the Network segregating and the Admin users operating with his/her
“user account” and only using admin by exception/need would reduce the impact to moderate.
These actions would reduce the overall risk from “Catastrophic” to “High”.
Then with the approval of the risk and budget holder, this remediation work can be scheduled and
conducted. Do further controls need putting in place, or is this risk now acceptable for the business?
This is a decision for the risk holder taking advice from the teams and subject matter experts.
This approach should then be repeated for all risks that were generated in the scenario generation
session.
Group IT Page | 3