Risk Assessment Procedure (SEC-PROC-004)
1. Purpose
To establish a systematic process for conducting annual and ad-hoc risk assessments to identify, analyze, and evaluate risks to the organization’s information assets.
2. Scope
This procedure applies to all information assets and processes within the scope of the Information Security Management System (ISMS). Risk assessments are performed annually and on an ad-hoc basis when significant changes occur.
3. Overview
This procedure details the methodology for conducting risk assessments. It covers the identification of assets, threats, and vulnerabilities; the analysis of likelihood and impact; the calculation of risk levels; and the documentation of results in the risk register and a formal report.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Risk Assessment Team | Identifies and documents critical information assets and their owners. |
| 2 | Risk Assessment Team | Identifies potential threats and vulnerabilities associated with each asset. |
| 3 | Risk Assessment Team | Analyzes the likelihood of a threat exploiting a vulnerability and the potential impact to the organization. |
| 4 | Risk Assessment Team | Calculates the overall risk level for each identified threat/vulnerability pair based on predefined risk criteria. |
| 5 | Risk Assessment Team | Documents the results of the assessment, including identified risks, risk levels, and recommended treatments, in the risk register. |
| 6 | Security Officer | Compiles a formal Risk Assessment Report summarizing the key findings and recommendations for management review. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-6 | SOC 2 | CC3.2 |
| 1-6 | HIPAA/HITECH | 45 CFR § 164.308(a)(1)(ii)(A) |
6. Artifact(s)
An updated Risk Register and a formal Risk Assessment Report.
7. Definitions
Risk Register: A log of identified risks, their characteristics, and their status.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Risk Assessment Team | Conducts the risk assessment activities as outlined in this procedure. |
| Security Officer | Oversees the risk assessment process and is responsible for the final report. |
| Asset Owners | Provide necessary information about their assets for the risk assessment. |