Example of ISMS Risk Assessment

RA-IDRisk OwnerInformation Asset/ infrastructure-Management (Risk Area)Form / Nature of AssetApplicable
Threats
(NEW)
RA DateImpact RatingJustificationExisting Controls (=Strengths)Missing Controls (=Weaknesses)VulnerabilityJustificationProbabilityJustificationRevised Risk ValueRecommendation (Yes or No)Revised Risk CategoryResidual Risks
xxx-RA-01All Departmentsxxx Employees (All personnel)Personnel – InternalLeak of Sensitive / Critical Data01.01.19004Teams has category 4 information1. Background Screening in place,
2. Most Employee undergo induction training,
3. All employees sign code of conduct, 
1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?)3One major vulnerability identified, however the ‘ease’ factor has high impact2Human behaviour is unpredictable24Yes – DLP verification is WIPHighOne major vulnerability identified, however the ‘ease’ factor has high impact
xxx-RA-02All Departmentsxxx Employees (All personnel)Personnel – InternalCritical Business activities get impacted01.01.19004Several teams are crucial for availability1.Leave control management in place,
2. Whenever there is an additional manpower requirement, it is addressed as part of HR planning
No known weakness1No identified vulnerability2Human behaviour is unpredictable8NolowNo identified vulnerability
xxx-RA-03All DepartmentsOperations Applications(Petrel 2012/Geo Frame – IESX/Geo Frame – Techlog Petrophysical Applications/ IHS Kingdom Suite/REP/Merak – Peep/Merak-Volts/Oil Field Manager/Eclipse/Interactive Petrophysics/Croker/Kingdom Suite/REP/Questor – Onshore/Offshore 9.8/Mbal 8.0/Pansystem 3.2/Rose Risk Multi-mode risk Analysis/Tellus Database/LiveQuest Solution/Zeh Composer Seisworks + Zmap/PEEP/GEM (Eco Software)/Eclipse-Office)Business ApplicationsConfidential data leakage01.01.19004Unauthorized access leading to information theft (by outsider)Access Controls in placed. Central AD protects primary authentication followed by application specific controls.No known weakness1No weakness identified1No incidents in the past one year, unlikely opportunity in the next year4NoLowNo weakness identified
xxx-RA-04All DepartmentsCommon User Applications (Active Directory/IP Telephony
Oracle HRMS/Sharepoint Portal/Asset Management System/Enterprise Document Management System/Share drive (G: Drive)/Cogness/RPSystem/Discover/Global Tax Management System (GTMS)/Sun System/Hyperion/Website)
Business ApplicationsInformation leakage and misuse, Virus impact on data/servers01.01.19004Applications are critical to business operations. Most information is rated as 3 Most products deployed are standard tools from recognized vendors/OEM. 1. OFI in change management process, 2. OFI in better access control32 Identified vulnerabilities1No suspected incidents of application performance or misuse in the last year12YesHigh1. OFI in change management process, 2. OFI in better access control
xxx-RA-05IT SupportSwitch configurationsLAN ManagementNetwork down / impact day to day business operations01.01.19004Internal connectivity outageRedundant network, secure configurationNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-06IT SupportRouter ConfigurationsWAN Managementimpact day to day business operations
01.01.19004External connectivity outageRedundant network, secure configurationNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-07IT SupportWireless ConfigurationsWireless ManagementData Leakage due to unauthorized access01.01.19003Office connectivity of mobile usersAlternate network based controls exist, limited accessNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year3NoLowNo weakness identified
xxx-RA-08IT SupportAll Servers (Unix and Windows)
(Windows XP SP3/Windows 2003/Windows 2008/Solaris/Linux)
Server ManagementData Loss01.01.19004High Availability, High confidentialityCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-09IT SupportDatabase Management (SQL and Oracle)Database Management Impact day to day business operations01.01.19004High Availability, High confidentialityCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-10IT SupportSecurity Applications (Access Point – Card System/Access Point – Biometrics/Checkpoint-VPN/Firewall (Checkpoint)/AV (McAfee)/IPS/IDS (Cisco MARS)/Spam Filter (Symantec)/backup Management (Tivoli))Security ApplicationsData Leakage / corrupt due to unauthorized access01.01.19004Security Controls protecting the networkCombination of policies exist that include patch management, and vulnerability in place, certified staff handling the changesNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-11IT SupportDesktop Management  (Dell)Desktop ManagementDaily business activities impacted / delayed01.01.19004End user infrastructureStandard list of software installed, malware protection that combines gateway and end user malware protectionNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoLowNo weakness identified
xxx-RA-12IT SupportLaptop Management (Dell / Apple)Laptop ManagementImpact day to day business operations01.01.19004End user infrastructureStandard list of software installed, malware protection that combines gateway and end user malware protectionNo known weakness1No known weakness2Laptop theft is an opportunity8NoMediumNo weakness identified
xxx-RA-13General ServicesPhysical Access Management (Building, Floors, Work area, Server Room/s, generator Areas)Physical Access ManagementPeople / business information or data impacted01.01.19004Availability infrastructureCombination of controls including manpower, CCTV, Access controls in placeNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-14IT SupportDocument Management System (Share drives/Folders/Enterprise Document Management System)Document ManagementData Leakage / corrupt / loss01.01.19004Storage areas for sensitive files/documentsAccess Controls in placed. Central AD protects primary authentication followed by application specific controls.No known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-15LegalExternal Service providers (OEMs providing technical problem and patch management support)External Service providers – ITFinancial Loss01.01.19004High Availability, their service are critical to application up timeSLA in place, most vendors are global, and provide 24-7 supportNo known weakness1No known weakness1No suspected incidents of application performance or misuse in the last year4NoMediumNo weakness identified
xxx-RA-16LegalExternal Service providers (IT Consultants)External Service providers – LegalFinancial / reputation Loss01.01.19004Teams has configurations which in turn has category 4 information1. Background Screening in place, 2. All vendors staff sign NDA1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security3Two major vulnerably identified2Human behaviour is unpredictable24Yes – DLP verification is WIP + Training on inductionHigh1. People have the opportunity to send emails. Consider DLP solution to reduce the opportunity of information theft. (Check whether DLP is implemented in office 365?), 2. Consider bring vendor staff under the scope of induction on information security
xxx-RA-17IT SupportExternal Service providers – IT + Hasibat information technologyExternal Service providers – ITFinancial Loss01.01.19004Several teams are crucial for availability1. SLA including manpower availability is in place. 2. Vendors whose support in the form of patch/problem exist, are covered in SLA/NDANo known weakness1No identified vulnerability2Human behaviour is unpredictable8NoLowNo identified vulnerability
xxx-RA-18Key Departments (Legal/ Operations/ Commercial/ Finance/Human Resources)Paper Document Management  (Agreements/new Contracts)Paper ManagementFinancial / reputation Loss01.01.19004Printed documents and design documents1. Printers have passwords, 2. Users follow clear desk and clear screen policy including paper shredding when no more in use.Awareness on handling of documents can be increase2Paper on desks1No incidents in the past one year, unlikely opportunity in te next year8NoLowAwareness on handling of documents can be increase

3 thoughts on “Example of ISMS Risk Assessment

  1. Dear Pretesh,How r you Hope all is well This is to explore the possibility of our association for one IATF 16949 certificationLet me know your conveniance to discuss 

    Thanks and Regards Sanjeev Jahagirdar

    Technical Director

    T  I Integrated Quality Services & Solutions

    E  I sanjeev_jahagirdar@yahoo.com

    A  I Pune, Maharashtra, India-411058

    M I +91 9552585317/ +91 020 295 295 04 

    Connect us I  https://www.linkedin.com/in/jahagirdar-sanjeev-55a09118

  2. Ofcourse, this assessment will help in migating most intra issue far sight with proper planning & zero tolerance. Good work Pretesh

Leave a Reply