Risk Assessment Methodology
Document Summary
Item Value
Organization Information Dynamics
Document Name Risk Assessment Methodology
Classification Internal
Compliance Reference
ISO 27001:2013,ISO 20000:2018,
ISO 31000:2011
Document Revision History
Date Version Prepared By
07-March-2020 1.0 First Version
07-March-2021 2.0 Version Upgrade
07-March-2022 3.0 Version Upgrade
Document Review History
Reviewed By Version Date Signature
Sankar 1.0 07-Mar-2020
Sankar 2.0 07-Mar-2021
Linda 2.0 07-Mar-2022
Risk Assessment Methodology Page 1
1. Purpose
The purpose of this document is to provide a methodology to conduct Information Security Risk
Assessments. This document covers the fields that need to be calculated during risk assessments,
Identification of risk owners, treatment plans considerations and Risk Acceptance of the firm. This risk
assessment methodology is based on the ISO 31000 standard and can be used for any department in the
firm.
2. Scope
The scope of this document applies to all information assets across IT department of Information
Dynamics. The theme of this risk assessment shall be to capture information security related risks.
3. Methodology
3.1. General Principles
Risk Assessment is a mandatory exercise as per multiple standards like ISO 27001:2013, ISO
20000:2018
The risk assessment exercise shall help identify risks affecting the organization’s information,
process from an internal and external context.
3.2. Risk Assessment Methodology
The methodology of risk assessment is based on the below framework.
The following events are the triggers for the risk management process:
New system/project initiation
Periodic Assessment/evaluation of existing information systems
The discovery of new threats/vulnerabilities
Changes to Asset inventory (e.g. new hardware/operating system /application updates)
Changes to operational procedures
Changes to the processes and system dependencies/inter-relationships
Changes to the Organization
Changes to the Technology
Changes to Business objectives and processes
Changes to the effectiveness of the controls
External events, such as changes to the legal or regulatory environment, changed contractual
obligations, and changes in social climate.
Risk Assessment Methodology Page 2
3.3. ESTABLISH THE CONTEXT
Internal and external context are factors that might affect Information Dynamics. These factors might
be inputs from internal or external sources. These shall have an impact on Information Dynamics in
terms of financial, image and reputation, social, technological, economical etc. This analysis can be
done through a PEST analysis to understand the different aspects which affect Information Dynamics
on regular basis. (PEST Political, Economical, Social and Technological). Information Dynamics shall
identify these factors and map to information security controls. Any risks that can be foreseen
through these factors shall go through a risk assessment and have a mitigation plan.
3.4. IDENTIFICATION OF RISKS
Risk Events (Combination of threats and Vulnerabilities) shall be identified by the department which
might affect the services provided by Information Dynamics. This shall be a combination of threat
and Vulnerability for easier reference by all business units. (This shall be referred as “Risk Event or
“Risk Statement”). The risk assessments shall be conducted for every department, however the
inputs to the exercise shall be based on the information assets the department possess. Inline with
the department services provided and the assets involved, the sources of these risk events shall be
Risk Assessment Methodology Page 3
identified and the areas of impact shall be calculated. Each risk shall have respective assets mapped
to them to understand what assets shall be affected if the risk materializes.
3.5. Determining Risk Type
Risk Type determination is based on 3 factors.
Risk Type Description
New Risks
Risks arising based on new external/ internal threats in the
environment.
Inherent Risks
The risk that an activity would pose if no controls or other
mitigating factors were in place (the gross risk or risk before
controls)
Residual Risks
Residual risk is the risk that remains in the system after the
security controls have been adopted.
Risk events are generally from multiple sources; however, the sources are segregated into the
following categories.
1. Technical Assessment
2. Compliance Assessment
3. Audit Management (Internal & External)
4. Information Access Control review
5. Security Architecture Review
6. Security Incident Registers
7. Review of Minimum Baseline Security Standards
8. Project Risks
9. OWASP Technical Security
10. Risks related to human resources
Risk Assessment Methodology Page 4
11. Discussion with the Service Owners on security risks in their process.
3.6. Impact Areas
Risk Events shall be evaluated with the following areas of impact to determine the criticality of the
service:
1. Image and Reputation
2. Internal Operations
3. Financial Loss
4. Legal and Compliance
5. Customers
These analyses of risk events and their likelihood of occurrence shall be determined by the respective
teams and identified for specific services.
4. RISK ANALYSIS
Risk Analysis phase is the where the risks are assessed and calculated based on analysis of risk
events, their potential impact and the likelihood of occurrence.
4.1. Potential Impact/ Consequence:
The potential impact is the overall impact that the service might have on organization if any risks are
not mitigated and lead to a successful breach. Each area shall be rated against 3 ratings, Minor,
Moderate, Major and NA (Not Applicable)
Risk Assessment Methodology Page 5
Potential Impact takes the highest of the impact areas.
4.2. Likelihood or Probability of risk event:
While determining the probability, the threat frequency in terms of how often it might occur, based on
past experience and statistics shall be considered. Geographical factors such as proximity to natural
disaster, the possibility of extreme weather conditions, and factors that could influence human errors
and equipment malfunction.
The likelihood of threat occurrence is valued using the following scale.
Likelihood Of Occurrence Values
Very Unlikely 1
Unlikely 2
Could Happen 3
Likely 4
Very Likely 5
Risk Assessment Methodology Page 6
RATING DECISION FACTORS - LEVELS
Very Low Service likely to have minimal effect on this area or no effect.
Low Low impact on the services if the risk is materialized
Medium
Moderate impact to the operations/ business if the service is affected.
Services are down, but can be manageable upto certain time.
High
High impact to business operations and organization reputation if the
service is affected
Very High
Very High impact to the business operations. Highest level and needs
immediate attention
4.3. Risk Calculation:
Risk Calculation is the product of the Potential Impact and the Likelihood of Occurrence.
Eg: If the impact of the service is High and the probability of occurrence is very likely, then
the risk associated to it is High.
Risk = Potential Consequence X Likelihood of Occurrence
Likelihood
Impac
t
1 2 3 4 5
1 1 2 3 4 5
2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25
5. RISK EVALUATION
Risk Assessment Methodology Page 7
Risk Value
Very Low 1 to 5
Low 6 to 10
Medium 11 to 15
High 16 to 20
Very High 21 to 25
In the Risk Evaluation phase, the identified risks values are compared to acceptable risk level agreed by
the ISSC. In case of risk value being greater than the acceptable level, a mitigation plan shall be made to
adopt security controls.
5.1. Acceptable Value
Risk Treatment requires a baseline for prioritizing and treating risks. The baseline level indicates the
acceptable values of risk. Risk values above the acceptable level require treatment at a higher
priority. Risk values within the baseline level may be accepted.
The Information Security Steering Committee has accepted Very Low and Low risks
All Medium, High and Very High risks shall be treated. (Risk Score of 11 and above)
Some risk values may remain above this baseline level because they cannot be immediately treated
due to various factors such as lack of resources, high mitigation costs etc. These need to be
separately accepted at their higher risk values and signed off by the Information Security Steering
Committee. Risk values within the baseline level do not require any such formal acceptance.
Risk Assessment Methodology Page 8
5.2. Justification of Accepting Risks
Any risk value above the acceptable value defined by the management shall have a treatment plan.
However, in certain cases, risks above the acceptable level which cannot be treated can be accepted
based on certain factors and management approvals.
Management shall accept the risks based on multiple criteria that can be assessed or might be
subjective to the business. However the following shall be considered:
1. Return on Investment - This is based on the cost involved in implementing the control and the
risk that it addresses. If the cost involved in implementing the control is more than the actual risk
reduction, then the management might take a decision to accept the risk.
2. Information that the control might safeguard If the control that is going to be implemented
safeguards the information which is not critical to the organization, then the decision might be
taken by the committee to accept the risk.
3. Resources Not Available for the project/ Control Implementation If the adoption of
controls requires additional resources in terms of employees, technology and other areas which
is not feasible, then the management can decide to accept the risk. However, if the same is a
critical risk, then it shall need to be monitored on regular basis with alternative compensating
controls.
4. Incompatibility or Technically not feasible If the controls are