Scenario-Based Risk

Assessment and
Treatment Tool
ISMS-FORM-06-3

Implementation Guidance
This document should be used to perform a risk assessment, including assessing the expected effects of
treatments.

Design
This spreadsheet has been designed using CertiKit's colour scheme. To choose a different table colour scheme,
click in the table, select the Table Design menu tab and choose a different style. The same applies to the drop-
down menu "slicers" at the top of the screen. Click in one slicer, then hold down the Shift key and click on the rest,
one by one. This will select them all. Then click on the Slicer menu tab and choose a different style. You can also
create your own table and slicer styles using your own colour scheme to reflect your organization's branding.

Purpose of this document

This document should be used to perform a scenario-based risk assessment, including assessing the expected
effects of treatments.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed:
6.1 Actions to address risks and opportunities
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment

General guidance
The key objective of the risk assessment is to ensure that all of the serious risks that need treatment are identified
so that something can be done about them. Be careful not to make your risk assessment too large or complicated
as much of the impact will be lost and it will be difficult to repeat at a later date. This tool is intended to be used to
assess the effects of the proposed treatments also, so that the level of residual risk can be shown.

As well as the ISO27001 Annex A reference controls, an additional set of controls from the ISO27017 and ISO27018
codes of practice is included here. These controls are generally only relevant if your organization is a cloud service
provider and has decided to adopt these codes of practice in addition to ISO27001.

If you need to select more than one control for a specific risk simply list all of the controls in the same cell by
copying and pasting them from the Reference Controls tab.

A summary of the type of risk that each Annex A control is intended to address is included to aid understanding
and help in identifying risks. This may also be useful when completing your Statement of Applicability.

Review frequency
It is a good idea to revisit this risk assessment on a regular basis and to ensure that new risks that occur are
identified and assessed.

Toolkit version number

ISO/IEC 27001 Toolkit Version 10

02/15/2021 Page 1 of 20 [Insert classfication]

Copyright notice
Except for any specifically identified third-party works included, this document has been authored by CertiKit, and
is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number
6432088.

Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by
download from our website. All other rights are reserved. Unless you have purchased this product you only have
an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the
licensee in the relevant purchase order. The standard licence terms include special terms relating to any third
party copyright included in this document.

Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are
intended to be used as a starting point only from which you will create your own document and to which you will
apply all reasonable quality checks before use.

Therefore please note that it is your responsibility to ensure that the content of any document you create that is
based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our
document templates, assumes no duty of care to any person with respect its document templates or their
contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred
in reliance on our document templates, or in expectation of our document templates meeting your needs,
including (without limitation) as a result of misstatements, errors and omissions in their contents.

02/15/2021 Page 2 of 20 [Insert classfication]

 Scenario-Based Risk
Assessment and
Treatment Tool
ISMS-FORM-06-3

Assessment Details

Security Classification [Insert classification]

Risk Assessment Title [Short, descriptive title]

Risk Assessment Scope [Describe the scope of the risk assessment - for example, location,
process, assets]
Context of Risk Assessment [Describe the general environment in which the analysis is carried
out and internal and external factors affecting it]
Risk Acceptance Criteria [Set out the factors which will make a risk acceptable and therefore
not require treatment]
Version [Start at Version 1]

Dated [Date the assessment was carried out]

Risk Assessors [Name and title of person(s) carrying out the risk assessment]

Risk Assessment Participants [Names and titles of people contributing to the risk assessment]

Approval [Name and title of approver]

Date Approved [Date the assessment was approved]

02/15/2021 Page 3 of 20 [Insert classfication]

 This shape represents a table This shape represents a table This shape represents a table This shape represents a table This shape represents a table This shape represents a table
slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not slicer. Table slicers are not
supported in this version of supported in this version of supported in this version of supported in this version of supported in this version of supported in this version of
Excel. Excel. Excel. Excel. Excel. Excel.

If the shape was modified in If the shape was modified in an If the shape was modified in If the shape was modified in If the shape was modified in If the shape was modified in an
an earlier version of Excel, or earlier version of Excel, or if an earlier version of Excel, or an earlier version of Excel, or an earlier version of Excel, or earlier version of Excel, or if
Scenario-Based Risk Assessment and Treatment Tool if the workbook was saved in the workbook was saved in if the workbook was saved in if the workbook was saved in if the workbook was saved in the workbook was saved in
Excel 2007 or earlier, the Excel 2007 or earlier, the slicer Excel 2007 or earlier, the Excel 2007 or earlier, the Excel 2007 or earlier, the slicer Excel 2007 or earlier, the slicer
Start with the risks that are felt to have the highest likelihood and impact slicer can't be used. can't be used. slicer can't be used. slicer can't be used. can't be used. can't be used.
combination first.

RISK DESCRIPTION PRE-TREATMENT ASSESSMENT TREATMENT PLAN POST-TREATMENT ASSESSMENT

Ref Risk Summary Risk Description Risk Type Risk Owner Existing Likelihood Likelihood Impact Impact Risk Score Risk Level Treatment Proposed Annex Treatment Treatment Treatment Action Treatment Treatment Action Post- Post- Post- Treatment Post- Post- Post- Comments
Controls Rationale Rationale Option Treatment A/Control Cost Action Timescale Action Status Treatment Treatment Impact Treatment Treatment Treatment
Chosen Action Reference Owner Progress Likelihood Likelihood Impact Risk Score Risk Level
Rationale Rationale

1 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
2 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
3 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
4 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
5 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
6 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
7 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
8 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
9 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
10 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
11 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
12 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
13 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
14 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
15 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
16 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
17 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
18 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
19 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated
20 Select… Select… Select… Calculated Calculated Select… Select… Select… Select… Calculated Calculated

02/15/2021 Page 4 of 20 [Insert classfication]

 ISO/IEC 27001 Annex A, ISO/IEC 27017 and ISO/IEC 27018 Reference Controls
The following list of reference controls is used within the risk assessment worksheets.
Note: ISO27017 and ISO27018 controls will generally only apply if your organization is a Cloud Service Provider (CSP).

REF

A.5 Information security policies

A.5.1 Management direction for information security
A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information security

A.6 Organization of information security

A.6.1 Internal organization
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management

A.6.2 Mobile devices and teleworking

A.6.2.1 Mobile device policy
A.6.2.2 Teleworking

CLD.6.3 Relationship between cloud service customer and cloud service provider
CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment

A.7 Human resources security

A.7.1 Prior to employment
A.7.1.1 Screening
A.7.1.2 Terms and conditions of employment

A.7.2 During employment

A.7.2.1 Management responsibilities
A.7.2.2 Information security awareness, education and training
A.7.2.3 Disciplinary process

A.7.3 Termination and change of employment

A.7.3.1 Termination or change of employment responsibilities
A.8 Asset management
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets
A.8.1.2 Ownership of assets
A.8.1.3 Acceptable use of assets
A.8.1.4 Return of assets
CLD.8.1.5 Removal of cloud service customer assets

A.8.2 Information classification

A.8.2.1 Classification of information
A.8.2.2 Labelling of information
A.8.2.3 Handling of assets

A.8.3 Media Handling

A.8.3.1 Management of removable media
A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer

A.9 Access control

A.9.1 Business requirements of access control
A.9.1.1 Access control policy
A.9.1.2 Access to networks and network services

02/15/2021 Page 5 of 20 [Insert classfication]

 REF
A.9.2 User access management
A.9.2.1 User registration and de-registration
A.9.2.2 User access provisioning
A.9.2.3 Management of privileged access rights
A.9.2.4 Management of secret authentication information of users
A.9.2.5 Review of user access rights
A.9.2.6 Removal or adjustment of access rights

A.9.3 User responsibilities

A.9.3.1 Use of secret authentication information

A.9.4 System and application access control

A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures
A.9.4.3 Password management system
A.9.4.4 Use of privileged utility programs
A.9.4.5 Access control to program source code

CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.9.5.1 Segregation in virtual computing environments
CLD.9.5.2 Virtual machine hardening

A.10 Cryptography
A.10.1 Cryptographic controls
A.10.1.1 Policy on the use of cryptographic controls
A.10.1.2 Key management

A.11 Physical and environmental security

A.11.1 Secure areas
A.11.1.1 Physical security perimeter
A.11.1.2 Physical entry controls
A.11.1.3 Securing offices, rooms and facilities
A.11.1.4 Protecting against external and environmental threats
A.11.1.5 Working in secure areas
A.11.1.6 Delivery and loading areas

A.11.2 Equipment
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
A.11.2.4 Equipment maintenance
A.11.2.5 Removal of assets
A.11.2.6 Security of equipment and assets off-premises
A.11.2.7 Secure disposal or reuse of equipment
A.11.2.8 Unattended user equipment
A.11.2.9 Clear desk and clear screen policy

A.12 Operations security

A.12.1 Operational procedures and responsibilities
A.12.1.1 Documented operating procedures
A.12.1.2 Change management
A.12.1.3 Capacity management
A.12.1.4 Separation of development, testing and operational environments
CLD.12.1.5 Administrator's operational security

A.12.2 Protection from malware

A.12.2.1 Controls against malware

A.12.3 Backup
A.12.3.1 Information backup

A.12.4 Logging and monitoring

A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
A.12.4.4 Clock synchronisation
CLD.12.4.5 Monitoring of cloud services

A.12.5 Control of operational software

02/15/2021 Page 6 of 20 [Insert classfication]

 REF
A.12.5.1 Installation of software on operational systems

A.12.6 Technical vulnerability management

A.12.6.1 Management of technical vulnerabilities
A.12.6.2 Restrictions on software installation

A.12.7 Information systems audit considerations

A.12.7.1 Information systems audit controls

A.13 Communications security

A.13.1 Network security management
A.13.1.1 Network controls
A.13.1.2 Security of network services
A.13.1.3 Segregation in networks
CLD.13.1.4 Alignment of security management for virtual and physical networks

A.13.2 Information transfer

A.13.2.1 Information transfer policies and procedures
A.13.2.2 Agreements on information transfer
A.13.2.3 Electronic messaging
A.13.2.4 Confidentiality or nondisclosure agreements

A.14 System acquisition, development and maintenance

A.14.1 Security requirements of information systems
A.14.1.1 Information security requirements analysis and specification
A.14.1.2 Securing application services on public networks
A.14.1.3 Protecting application services transactions

A.14.2 Security in development and support processes

A.14.2.1 Secure development policy
A.14.2.2 System change control procedures
A.14.2.3 Technical review of applications after operating platform changes
A.14.2.4 Restrictions on changes to software packages
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.7 Outsourced development
A.14.2.8 System security testing
A.14.2.9 System acceptance testing

A.14.3 Test data

A.14.3.1 Protection of test data

A.15 Supplier relationships

A.15.1 Information security in supplier relationships
A.15.1.1 Information security policy for supplier relationships
A.15.1.2 Addressing security within supplier agreements
A.15.1.3 Information and communication technology supply chain

A.15.2 Supplier service delivery management

A.15.2.1 Monitoring and review of supplier services
A.15.2.2 Managing changes to supplier services

A.16 Information security incident management

A.16.1 Management of information security incidents and improvements
A.16.1.1 Responsibilities and procedures
A.16.1.2 Reporting information security events
A.16.1.3 Reporting information security weaknesses
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.16.1.6 Learning from information security incidents
A.16.1.7 Collection of evidence

A.17 Information security aspects of business continuity management

A.17.1 Information security continuity
A.17.1.1 Planning information security continuity
A.17.1.2 Implementing information security continuity
A.17.1.3 Verify, review and evaluate information security continuity

02/15/2021 Page 7 of 20 [Insert classfication]

 REF
A.17.2 Redundancies
A.17.2.1 Availability of information processing facilities

A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
A.18.1.1 Identification of applicable legislation and contractual requirements
A.18.1.2 Intellectual property rights
A.18.1.3 Protection of records
A.18.1.4 Privacy and protection of personally identifiable information
A.18.1.5 Regulation of cryptographic controls

A.18.2 Information security reviews

A.18.2.1 Independent review of information security
A.18.2.2 Compliance with security policies and standards
A.18.2.3 Technical compliance review

ISO/IEC 27018 Extended control set

A.1 Consent and choice
A.1.1 Obligation to cooperate regarding PII principals' rights

A.2 Purpose legitimacy and specification

A.2.1 Public cloud PII processor's purpose
A.2.2 Public cloud PII processor's commercial use

A.4 Data minimization

A.4.1 Secure erasure of temporary files

A.5 Use, retention and disclosure limitation

A.5.1 PII disclosure notification
A.5.2 Recording of PII disclosures

A.7 Openness, transparency and notice

A.7.1 Disclosure of sub-contracted PII processing

A.9 Accountability
A.9.1 Notification of a data breach involving PII
A.9.2 Retention period for administrative security policies and guidelines
A.9.3 PII return, transfer and disposal

A.10 Information security

A.10.1 Confidentiality or non-disclosure agreements
A.10.2 Restriction of the creation of hardcopy material
A.10.3 Control and logging of data restoration
A.10.4 Protecting data on storage media leaving the premises
A.10.5 Use of unencrypted portable storage media and devices
A.10.6 Encryption of PII transmitted over public data-transmission networks
A.10.7 Secure disposal of hardcopy materials
A.10.8 Unique use of userids
A.10.9 Records of authorized users
A.10.10 Userid management
A.10.11 Contract measures
A.10.12 Sub-contracted PII processing
A.10.13 Access to data on pre-used data storage space

A.11 Privacy compliance

A.11.1 Geographical location of PII
A.11.2 Intended destination of PII

02/15/2021 Page 8 of 20 [Insert classfication]

 ISO/IEC 27001 Annex A, ISO/IEC 27017 and ISO/IEC 27018 Example Risks and Reference Controls
The following list shows each of the reference controls and gives examples of the types of risks that they may be used to treat.
You may use this table to help to identify relevant risks for your organization and to define where the controls from Annex A of ISO/IEC 27001 are applicable.
Note: ISO27017 and ISO27018 controls will generally only apply if your organization is a Cloud Service Provider (CSP).

REF EXAMPLE RISK(S) ANNEX A CONTROL

1 It is not clear what the organization's rules are for managing information security. Employees and A.5.1.1 Policies for information security
others aren't aware of what they should be doing to protect the organization

2 Policies are out of date, do not reflect the organization's business or technical setup. New threats have A.5.1.2 Review of the policies for information security
emerged that need to be addressed in policies
3 It is not clear who should be doing what with respect to information security A.6.1.1 Information security roles and responsibilities
4 An individual is able to commit fraud because they are able to perform all of the steps required to A.6.1.2 Segregation of duties
enable the fraud. Checks are insufficient to prevent accidental amendment or destruction of data

5 The organization is unaware of their legal or regulatory responsibilities and may break the law without A.6.1.3 Contact with authorities
realising it
6 The organization lacks up to date knowledge of information security issues such as current threats, new A.6.1.4 Contact with special interest groups
controls and other relevant information
7 Information gathered and created during projects is not adequately protected A.6.1.5 Information security in project management
8 Data held on mobile devices is compromised through loss or theft of the device, or unauthorised access A.6.2.1 Mobile device policy

9 A teleworking site does not meet the information security standards ensured at main locations and data A.6.2.2 Teleworking
is exposed to loss or theft
10 It is not clear who does what with respect to cloud security and so data is compromised because one CLD.6.3.1 Shared roles and responsibilities within a cloud
party (e.g. cloud service customer) was under the impression that the other (e.g. cloud service provider) computing environment
was monitoring a particular aspect

11 An employee is recruited who deliberately breaches information security A.7.1.1 Screening

12 It is not clear to employees what their responsibilities for information security are A.7.1.2 Terms and conditions of employment
13 Management do not enforce and emphasise the need to comply with information security policies A.7.2.1 Management responsibilities

14 Employees and contractors are not aware of information security policies and and are unable to spot A.7.2.2 Information security awareness, education and
potential breaches training
15 The consequences of commiting an information security breach are not sufficiently clear to employees A.7.2.3 Disciplinary process

16 Ex-employees breach information security after leaving e.g. making confidential information public A.7.3.1 Termination or change of employment responsibilities

17 It is not clear what assets we are trying to protect and where they are located A.8.1.1 Inventory of assets
18 No-one takes responsibility for protecting specific assets A.8.1.2 Ownership of assets
19 Information and assets are used in ways that are not acceptable to the organization e.g. devices are A.8.1.3 Acceptable use of assets
physically abused and information left exposed
20 Assets are not returned when someone leaves the organization A.8.1.4 Return of assets
21 Assets that are stored with a cloud service provider are not returned CLD.8.1.5 Removal of cloud service customer assets
22 It is not clear how specific items of information should be protected A.8.2.1 Classification of information
23 Employees are unable to tell how information should be protected A.8.2.2 Labelling of information
24 Assets are handled inappropriately due to a lack of definition of how they should be addressed A.8.2.3 Handling of assets

25 Removable media is used without effective protection of the data held on it A.8.3.1 Management of removable media
26 The information stored on media is compromised when it is disposed of A.8.3.2 Disposal of media
27 Data held on media is accessed or lost whilst in transit and is not adequately protected e.g. by the use A.8.3.3 Physical media transfer
of encryption
28 Employees or third parties have access to information without authorisation or by mistake A.9.1.1 Access control policy
29 A user gains unauthorised access to information via a network that they have no reason to legitimately A.9.1.2 Access to networks and network services
use
30 User accounts are created without authority or not removed when no longer needed A.9.2.1 User registration and de-registration
31 Users are given an inappropriate level of access within systems A.9.2.2 User access provisioning
32 Privileged access rights are used by an unauthorised person to breach information security A.9.2.3 Management of privileged access rights
33 User passwords become known to someone other than the user to whom they relate A.9.2.4 Management of secret authentication information of
users
34 Inappropriate levels of access remain in place long term and attempts to increase permissions are not A.9.2.5 Review of user access rights
spotted
35 Ex-users still have access even when they have left the organization A.9.2.6 Removal or adjustment of access rights
36 Users share user accounts and let others know their passwords A.9.3.1 Use of secret authentication information
37 Too much access is allowed to a user where their role does not require it A.9.4.1 Information access restriction
38 Logon to secure systems is possible by unauthorised users A.9.4.2 Secure log-on procedures
39 Users do not set appropriately-strong passwords A.9.4.3 Password management system
40 A privileged utility program is used to bypass security controls and gain unauthorised access to A.9.4.4 Use of privileged utility programs
information
41 Program source code is destroyed or tampered with to benefit an attacker A.9.4.5 Access control to program source code
42 Another cloud customer is able to access the organization's information stored in a cloud application CLD.9.5.1 Segregation in virtual computing environments

43 A virtual machine is used as an entry point for an attack CLD.9.5.2 Virtual machine hardening
44 The use of encryption within the organization is haphazard and uncoordinated, resulting in a lack of A.10.1.1 Policy on the use of cryptographic controls
effectiveness and possible illegal use
45 Cryptographic keys are lost or compromised resulting in the loss of encrypted data A.10.1.2 Key management
46 It is not clear where physical security has been, or needs to be, applied A.11.1.1 Physical security perimeter
47 Unauthorised people are able to gain physical access to sensitive information A.11.1.2 Physical entry controls
48 Unauthorised people are able to gain physical access to sensitive information A.11.1.3 Securing offices, rooms and facilities
49 An accident, attack or natural disaster destroys or severely affects sensitive information and its A.11.1.4 Protecting against external and environmental
processing threats
50 People in secure areas leave the area open to attack or unauthorised access A.11.1.5 Working in secure areas

02/15/2021 Page 9 of 20 [Insert classfication]

 REF EXAMPLE RISK(S) ANNEX A CONTROL
51 Access is gained to secure areas via a publicly-accessible delivery area A.11.1.6 Delivery and loading areas
52 Screens showing sensitive information can be seen by unauthorised people A.11.2.1 Equipment siting and protection
53 Essential facilities are disabled due to a power outage A.11.2.2 Supporting utilities
54 Someone listens in to sensitive information by tapping a cable A.11.2.3 Cabling security
55 Equipment breaks down or fails to protect information due to a lack of appropriate care A.11.2.4 Equipment maintenance
56 Equipment, information or software is removed from a location without the knowledge or permission of A.11.2.5 Removal of assets
the organization
57 Assets containing sensitive information are left unprotected whilst offsite A.11.2.6 Security of equipment and assets off-premises

58 Sensitive information can be read from storage media that has been disposed of or reused A.11.2.7 Secure disposal or reuse of equipment
59 Someone accesses systems they are not authorised to using a device that has been left logged on. A.11.2.8 Unattended user equipment

60 Support staff, e.g. cleaners and security personnel, are able to read sensitive information left A.11.2.9 Clear desk and clear screen policy
unattended on desks
61 Operating procedures are not clear to all employees who need to perform them and vary according to A.12.1.1 Documented operating procedures
who does them
62 Information security becomes compromised when changes are made to the organization, business A.12.1.2 Change management
processes or information processing facilities and systems
63 Systems run slowly or not at all because the resources required are not available A.12.1.3 Capacity management
64 Software changes made in development are put live without adequate testing or supervision A.12.1.4 Separation of development, testing and operational
environments
65 An administrator of a cloud service makes a serious and unrecoverable error that affects service CLD.12.1.5 Administrator's operational security
availability or security
66 Systems are affected by malware e.g. ransomware or spyware, having a serious effect on service A.12.2.1 Controls against malware
delivery and security
67 Data is lost and cannot be recovered from backup A.12.3.1 Information backup
68 Suspicious events are not detected due to inadequate logs being kept A.12.4.1 Event logging
69 Incriminating logs are wiped or altered by an attacker A.12.4.2 Protection of log information
70 The activities of administrators and operators cannot be verified A.12.4.3 Administrator and operator logs
71 The time sequence of an attack cannot be identified because each of the clocks involved tell a different A.12.4.4 Clock synchronisation
time
72 The organization can't tell if a cloud service has been compromised because no logs are kept CLD.12.4.5 Monitoring of cloud services

73 Software is installed on an operational system which causes an unwanted effect e.g. compatibility A.12.5.1 Installation of software on operational systems
issues or the introduction of vulnerabilities
74 Vulnerabilities in systems are not identified or addressed and are then exploited by attackers. A.12.6.1 Management of technical vulnerabilities

75 A user installs some software that introduces vulnerabilities to the organization and its network A.12.6.2 Restrictions on software installation

76 A penetration test disrupts a live system during peak service hours A.12.7.1 Information systems audit controls
77 Network devices and their configuration are unmanaged and uncoordinated, so introducing A.13.1.1 Network controls
vulnerabilities for the organization
78 The required security mechanisms, service levels and management requirements for network services A.13.1.2 Security of network services
are not agreed with the supplier and so are not provided
79 An attacker, having gained access to the network, is able to see and access all systems and devices A.13.1.3 Segregation in networks

80 Virtual networks are configured differently to physical ones and as a consequence don't provide the CLD.13.1.4 Alignment of security management for virtual and
same required level of security physical networks
81 Information in transit is intercepted and compromised A.13.2.1 Information transfer policies and procedures
82 Transfer of information between the organization and external parties is not subject to adequate A.13.2.2 Agreements on information transfer
protection
83 information sent in electronic messaging systems e.g. email and messenger services, is compromised A.13.2.3 Electronic messaging

84 Confidential information is shared with others by a third party because it was not agreed that this is not A.13.2.4 Confidentiality or nondisclosure agreements
allowed
85 Information security is not considered adequately when new or enhanced systems are designed A.14.1.1 Information security requirements analysis and
specification
86 Information involved in application services is intercepted and modified in order to commit fraud A.14.1.2 Securing application services on public networks

87 Application service transactions are able to be used to mount an attack on the organization or its A.14.1.3 Protecting application services transactions
business partners
88 Software is written that has an unacceptable level of vulnerabilities A.14.2.1 Secure development policy
89 Changes are uncontrolled whilst in development leading to poor quality software and badly-defined A.14.2.2 System change control procedures
releases
90 Business critical applications are adversely affected when the underlying operating platform is changed A.14.2.3 Technical review of applications after operating
platform changes
91 Significant modifications to software packages introduce security vulnerabilities, functionality issues A.14.2.4 Restrictions on changes to software packages
and support problems
92 Systems are deisgned without adequate regard to, or knowledge of, information security A.14.2.5 Secure system engineering principles
93 Development environments are able to be accessed by unauthorised persons who introduce code that A.14.2.6 Secure development environment
makes future attacks easier
94 Code developed by an outsourcing provider contains security flaws that are not discovered by the A.14.2.7 Outsourced development
organization
95 Security functionality doesn't work correctly in live software A.14.2.8 System security testing
96 Newly-implemented systems don't work as intended A.14.2.9 System acceptance testing
97 Test data doesn't identify issues with the software being tested and is itself of value to an attacker (e.g. A.14.3.1 Protection of test data
if copied from live data)
98 An attacker gains access to the organization's network using logon credentials obtained from a supplier A.15.1.1 Information security policy for supplier relationships
who has legitimate access
99 A supplier, who provides services to and has access to the organization's information, has inadequate A.15.1.2 Addressing security within supplier agreements
security controls in place and suffers a breach involving the organization's data
100 A supplier uses contractors who do not have adequate security controls in place A.15.1.3 Information and communication technology supply
chain
101 A supplier is not delivering the level of service that they should A.15.2.1 Monitoring and review of supplier services
102 A supplier e.g. cloud service provider, makes a change that is not expected and which significantly A.15.2.2 Managing changes to supplier services
affects the organization's business processes
103 It is not clear who should do what when an information security incident occurs A.16.1.1 Responsibilities and procedures
104 Management is not aware that an information security event has been detected A.16.1.2 Reporting information security events
105 Weaknesses in information security do not get addressed because they are not reported A.16.1.3 Reporting information security weaknesses

02/15/2021 Page 10 of 20 [Insert classfication]

 REF EXAMPLE RISK(S) ANNEX A CONTROL
106 No decisions are taken about whether events should be escalated to incidents A.16.1.4 Assessment of and decision on information security
events
107 The response to information security incidents is inadequate and procedures are not used A.16.1.5 Response to information security incidents
108 Nothing is learned from incidents and no improvements are made A.16.1.6 Learning from information security incidents
109 No usable or admissible evidence is collected as a result of a lack of awareness of how this must be A.16.1.7 Collection of evidence
done. Because of this, nobody can be prosecuted
110 It is not known what level of information security must be provided during a disruptive event A.17.1.1 Planning information security continuity

111 Information security controls become ineffective when a disruptive event happens A.17.1.2 Implementing information security continuity
112 The intended information security controls don't work during a disruptive event because they have A.17.1.3 Verify, review and evaluate information security
never been tested continuity
113 Information processing facilities fail due to a lack of sufficient redundancy A.17.2.1 Availability of information processing facilities

114 It is not known what legislative, regulatory and contractual requirements each information system must A.18.1.1 Identification of applicable legislation and
meet and, as a result, such requirements are not met contractual requirements
115 The organization is subject to legal action as a result of breaching intellectual property rights and A.18.1.2 Intellectual property rights
licensing requirements
116 Records that are required to be kept are lost, falsified or accessed, resulting in legal or contractual issues A.18.1.3 Protection of records

117 Laws requiring the protection of personally identifiable information are breached, resulting in A.18.1.4 Privacy and protection of personally identifiable
prosecution and fines information
118 Cryptography is used inappropriately, resulting in prosecution A.18.1.5 Regulation of cryptographic controls
119 The implementation of information security is never independently checked and many controls do not A.18.2.1 Independent review of information security
work as intended
120 Management does not check that policies and procedures are being followed and people stop using A.18.2.2 Compliance with security policies and standards
them over time
121 As systems evolve, security controls become less effective and more vulnerable to attack A.18.2.3 Technical compliance review
122 Data subjects are unable to exercise their legal rights and the relevant data controller is subject to A.1.1 Obligation to cooperate regarding PII principals' rights
prosecution
123 PII is used by the processor for additional purposes without the controller's consent A.2.1 Public cloud PII processor's purpose
124 The processor uses the PII for marketing purposes, so breaching relevant legislation A.2.2 Public cloud PII processor's commercial use
125 PII held in temporary files, e.g. database journals, is not deleted and is accessed by unauthorised A.4.1 Secure erasure of temporary files
persons
126 The controller is unaware that the processor has provided PII to a law enforcement agency, despite the A.5.1 PII disclosure notification
processor being permitted to tell them
127 The PII that has been disclosed and the third parties it has been disclosed to, is not known because it A.5.2 Recording of PII disclosures
was not recorded
128 The processor uses sub-contractors that do not provide adequate protection for PII A.7.1 Disclosure of sub-contracted PII processing
129 The controller is not aware that the PII under their control has been breached and so cannot meet its A.9.1 Notification of a data breach involving PII
legal obligations
130 It is not certain what version of a policy or procedure was in force, or its contents, at the time of an A.9.2 Retention period for administrative security policies
issue that is later being investigated and guidelines
131 PII is not returned or disposed of correctly by the processor when no longer required, making it A.9.3 PII return, transfer and disposal
vulnerable to compromise
132 Employees of the PII processor make the controller's PII available to others because they weren't aware A.10.1 Confidentiality or non-disclosure agreements
that it is confidential
133 Printouts containing PII are lost or accessed by unauthorised persons A.10.2 Restriction of the creation of hardcopy material
134 Legal obligations to record data restorations are not met, resulting in prosecution A.10.3 Control and logging of data restoration
135 PII on storage media in transit is lost or compromised A.10.4 Protecting data on storage media leaving the premises

136 PII on storage media that can't be encrypted is accessed by unauthorised persons A.10.5 Use of unencrypted portable storage media and
devices
137 Transmitted PII is intercepted and its confidentiality breached A.10.6 Encryption of PII transmitted over public data-
transmission networks
138 Hardcopy that has been disposed of in an inadequate way may be still readable A.10.7 Secure disposal of hardcopy materials
139 It is unclear which individual performed a task or accessed PII A.10.8 Unique use of userids
140 More people than intended have access to the PII A.10.9 Records of authorized users
141 User accounts are re-used and it is unclear who accessed PII on a specific date and time A.10.10 Userid management
142 The processor does not put adequate security controls in place to protect the PII and uses them for A.10.11 Contract measures
unauthorised purposes
143 A sub-contractor used by the processor does not put adequate security controls in place to protect the A.10.12 Sub-contracted PII processing
PII
144 Data previously held on a storage device is visible to the new recipient of that storage space A.10.13 Access to data on pre-used data storage space

145 The controller cannot comply with data protection legislation because no information is provided by the A.11.1 Geographical location of PII
processor about where the PII is stored
146 PII that is transmitted does not arrive at the intended destination A.11.2 Intended destination of PII

02/15/2021 Page 11 of 20 [Insert classfication]

 Risk Profile Diagram

Pre-Treatment Post-Treatment

5 0 0 0 0 0 5 0 0 0 0 0

4 0 0 0 0 0 4 0 0 0 0 0

Risk Risk
3 0 0 0 0 0 3 0 0 0 0 0
Likelihood Likelihood

2 0 0 0 0 0 2 0 0 0 0 0

1 0 0 0 0 0 1 0 0 0 0 0

1 2 3 4 5 1 2 3 4 5

Risk Impact Risk Impact

02/15/2021 Page 12 of 20 [Insert classfication]

 Number of Risks by Risk Level
Pre- and Post-Treatment
1
Number of Risks

0
Low Medium High

Risk Level

02/15/2021 Page 13 of 20 [Insert classfication]

 Risks by Treatment Option Chosen

02/15/2021 Page 14 of 20 [Insert classfication]

 Pre-Treatment Risk Levels by Risk Type
11

10

7
Number of risks

Risk Level Total Result

5

0
Total Result

Risk Type (C = Confidentiality, I = Integrity, A = Availability)

02/15/2021 Page 15 of 20 [Insert classfication]

 Pre-Treatment Risk Levels by Risk Owner
11

10

7
Number of risks

6
Risk Level Total Result
5

0
Total Result

Risk Owner

02/15/2021 Page 16 of 20 [Insert classfication]

 Total Treatment Cost by Risk Level
12

10

8
Treatment Cost

0
Total Result

Pre-Treatment Risk Level

02/15/2021 Page 17 of 20 [Insert classfication]

 Likelihood
This table should be used to decide upon the most appropriate likelihood for a particular threat.

LIKELIHOOD DESCRIPTION SUMMARY

1 Improbable Has never happened before and there is no reason to think it is any
more likely now
2 Unlikely There is a possibility that it could happen, but it probably won't
3 Likely On balance, the risk is more likely to happen than not

4 Very Likely It would be a surprise if the risk did not occur either based on past
frequency or current circumstances
5 Almost certain Either already happens regularly or there is some reason to believe it is
virtually imminent

02/15/2021 Page 18 of 20 [Insert classfication]

 Impact
This table should be used as guidance to help to decide upon the correct impact rating for a particular threat.

IMPACT LEVEL IMPACT AREAS

Impact General Effect on customers Financial cost Health and Safety Damage to reputation Legal, Contractual and
rating description Organizational Compliance
1 Negligible No effect Very little or none Very small additional risk Negligible No implications

2 Slight Some local disturbance to Some Within acceptable limits Slight Small risk of not meeting
normal business compliance
operations

3 Moderate Can still deliver Unwelcome but could be Elevated risk requiring Moderate In definite danger of operating
product/service with borne immediate attention illegally
some difficulty

4 High Business is crippled in key Severe effect on income Significant danger to life High Operating illegally in some
areas and/or profit areas
5 Very High Out of business; no Crippling; the Real or strong potential Very High Severe fines and possible
service to customers organisation will go out of loss of life imprisonment of staff
business

02/15/2021 Page 19 of 20 [Insert classfication]

 Classification of Risk Level
The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact.

RISK SCORE
5

HIGH

Risk 3 MEDIUM
Likelihood

LOW

1 2 3 4 5

Risk Impact

02/15/2021 Page 20 of 20 [Insert classfication]