Key to the ISMS is the documentation of risks.  It is important to see the company’s strengths and weaknesses in terms of managed risks. 

​

There are six steps to Risk Management:

​

1. Define the methodology (Quantitative v Qualitative) and scoring method. Ensure this is relevant to the corporate context.

2. Implementation (Assessment):

   1. Define Assets.

   2. Threats.

   3. Vulnerabilities.

   4. Impact.

   5. Likelihood.

   6. Analyse, Evaluate & Prioritise according to corporate appetite.

3. Implement Treatment:

   1. Prioritise.

   2. Apply Controls from Annex A.

   3. Treat.

   4. Transfer.

   5. Terminate.

   6. Tolerate residual risk.

4. Risk Assessment Report.

5. Statement of Applicability:

   1. Creates the corporate risk profile.

   2. Justification for not using a control.

   3. Key document for the auditor.

6. Risk Treatment Plan. Attribute:

   1. Control definition.

   2. Ownership.

   3. Implementation timescales.

   4. Measure of outcome (success or failure).