Risk Assessment & Treatment Methodology

1. Purpose

To define a consistent and repeatable approach for identifying, analysing, evaluating and treating information-security risks, as required by ISO/IEC 27001 §6.1.2–6.1.3.

2. Process Overview

graph LR
 A[Establish Context] --> B[Identify Risks]
 B --> C[Analyse Likelihood & Impact]
 C --> D[Evaluate & Prioritise]
 D --> E[Treat / Accept / Transfer]
 E --> F[Implement Controls]
 F --> G[Monitor & Review]
 G --> B

3. Risk Criteria

Risk score = L × I (max 25).

4. Risk Acceptance

• Scores ≥15 → Unacceptable; treatment required.
• Scores 6–14 → Management decision on treatment vs acceptance.
• Scores ≤5 → Acceptable; document and monitor.

Risk owners are accountable for approving residual risk.

5. Risk Treatment Options

1. Mitigate – Apply controls per Statement of Applicability.
2. Transfer – Use insurance or contractual clauses.
3. Avoid – Change the process / discontinue activity.
4. Accept – Senior management sign-off (CEO & CISO).

6. Documentation

Results are captured in: * Risk Register (risk-register.xlsx) – master list of identified risks.
Risk Assessment Report – summary for management review.
Risk Treatment Plan – actions, owners, deadlines.

7. Frequency

• Comprehensive assessment: at least annually.
• Ad-hoc: upon significant changes (new product, infra migration, M&A, major incident).

8. Roles & Responsibilities

9. Tools

Risk assessment is currently performed using ISO 27005-aligned spreadsheets; migration to internal AI agents is underway (target Q4 2025).

10. Review

This methodology is reviewed annually or following major changes in threat landscape.