Confirms that the entire risk assessment and risk treatment process has been carried out according to the Risk Assessment Policy.
The purpose of the risk assessment was to identify all information systems their vulnerabilities, and threats that could exploit vulnerabilities. These parameters were further evaluated in order to establish the criticality of individual risks.
The purpose of the risk treatment was to define the systematic means of reducing or controlling the risks identified in the risk assessment.
All risk assessment and treatment activities were completed within the scope of the organization’s information security program.
The risk assessment was implemented in the period from [day/month/year] to [day/month/year]. The risk treatment was implemented from [day/month/year] to [day/month/year]. Final reports were prepared during [specify period].
The risk assessment and risk treatment process was managed by [person responsible for managing the risk assessment process] with expert assistance provided by [person or company responsible for assistance].
During the risk assessment, information was collected through questionnaires and interviews with responsible persons, namely the asset owners across organizational units.
The process was conducted as follows:
All information systems and their owners were identified.
Threats were identified for each asset, and corresponding vulnerabilities were identified for each threat.
Risk owners were identified for each risk.
Consequences of the loss of confidentiality, integrity and availability were evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
The likelihood of risk occurrence (i.e. that the threat will exploit the vulnerability) was evaluated using a score from 0 to 2, with 0 being the lowest rating and 2 being the highest rating.
The level of risk was calculated by adding up the consequence and likelihood.
Risks with a score of 3 or 4 were determined to be unacceptable risks.
For each unacceptable risk, a risk treatment option was considered, and appropriate information security controls were selected.
After controls were applied, residual risks were assessed.
The following documents were used or generated during the implementation of risk assessment and risk treatment:
Risk Assessment Table (Appendix A): for each combination of systems, vulnerabilities and threats, this table shows the values for consequence and likelihood, and calculates the risk.
Risk Treatment Table (Appendix B): defines the options for risk treatment, selection of controls for each unacceptable risk, and the level of residual risk.