Professional Documents
Culture Documents
ANCHIS SOP - Risk Assessment methodology
ANCHIS SOP - Risk Assessment methodology
Table of Content
2 Reference documents...................................................................................3
4 Risk mitigation.............................................................................................6
5 Method.........................................................................................................7
1
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology
5.1 Regular reviews of risk assessment...........................................................7
The purpose of this document is to define the methodology for assessment and
treatment of information risks in anchis. Holdings Limited (anchis.), and to
define the acceptable level of risks according to security laws, regulations and
standards including ISO 27001.
Risk assessment are applied to the entire scope of all assets which are used
within the organization or which could have an impact on information security
within the company.
anchis. will perform a yearly risk analysis, which will provide an accurate and
thorough assessment of the potential risks and vulnerabilities to the
confidentiality, integrity and availability associated with its delivery of
Information Technology (IT) operations services.
Users of this document are all employees of anchis. who take part in risk
assessment.
2. Reference documents
● Information Security Management procedural manual
● Information Security Policy statement
● Risk assessment table
3. Risk Assessment
The table below shows the category and characteristics for risk assessment
Category Characteristics
3
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology
Risk Risk score is a function of:
● Asset value
● Likelihood of threat, and
● Level of vulnerability
4
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology
Impact Level Description
Low 1 Existing security controls are strong and have so far provided an
adequate level of protection. No new incidents are expected in the
future.
Medium 2 Existing security controls are moderate and have mostly provide an
adequate level of protection. New incidents are possible, but not highly
likely.
High 3 Existing security controls are low or ineffective. Such incidents have a
high likelihood of occurring in the future.
By entering the values of impact and likelihood into the Risk Assessment
Table, the level of risk is calculated automatically by adding up the two
values. Existing security controls are to be entered in the last column of
the Risk Assessment Table.
4. Risk Mitigation
5. Method
The method of anchis. the Risk Assessment is based on identifying initially risks
and regarding them as unacceptable risks, thereafter conducting a rating and
applying one or more treatment options mentioned below:
Risk owners must review existing risks and update the Risk Assessment
table in line with newly identified risks. The review is conducted at least
once a year, or more frequently in the case of significant organizational
6
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology
changes, significant change in technology, change of business objectives,
changes in the business environment, etc.
The two (2) principal components of the risk management process (risk
assessment and risk mitigation) will be carried out according to the
following schedule to ensure the continued adequacy and improvement of
the department’s information security program:
On behalf of the risk owners, anchis. top management will accept all
residual risks through the SoA. The Information Security Manager will
prepare the Risk treatment plan in which the implementation of controls
will be planned.
This document shall be reviewed annually after the review of the existing
risk assessment.
7
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology
When evaluating the effectiveness and adequacy of this document, the
following criteria needs to be considered:
8
C2 – Anchis Restricted
Anchis/SOP: 23/01/2022– Risk assessment methodology