This document describes the risk assessment and risk treatment process used by Riesgo Risk Management's ISO27001 compliance tool. It involves projects submitting initial surveys that are scored as low, medium, or high risk. Medium and high risk projects undergo further assessment by an information security team. They identify project risks and information assets, conduct business impact assessments, and update risk registers with mitigation actions. Dashboards provide visibility into projects, assets, policies, and overall risk management. The tool aims to facilitate remote risk assessment and compliance for organizations.

1. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Risk assessment and risk treatment
www.riesgoriskmanagement.com
Contents
Introduction ............................................................................................................................................ 2
Process overview .................................................................................................................................... 2
Risk assessment initiation: project submission & initial survey ............................................................. 3
The project registration form ................................................................................................................. 4
The submitted project registration form ................................................................................................ 5
Project register........................................................................................................................................ 7
The risk assessment ................................................................................................................................ 8
Project risk identification ........................................................................................................................ 9
Information Asset risk assessment ....................................................................................................... 10
Business impact assessment ................................................................................................................. 11
Risk assessment of assets ..................................................................................................................... 12
Risk management dashboards .............................................................................................................. 13
1

2. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Introduction
This document describes how www.riesgoriskmanagement.com ISO27001 compliance tool via its
risk management function handles risk assessment and risk treatment. The following assumptions
are made:
1. There is an Information security/compliance team in place
2. There are business processes in place with the Project teams and business units to submit
projects and business changes as and when they occur.
3. There is a Risk Assurance forum in place to handle risks raised by the organisation on a
periodic basis.
4. There is a minimum security policy in place in which all projects, business changes have to
adhere to.
Process overview
The diagram below depicts the process by which projects are submitted and assessed, have their
risks mitigated as well as the risk management and assurance.
2

3. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Risk assessment initiation: project submission & initial survey
The initial stage of risk assessment begins with project teams or business units submitting projects or
business changes for assessment. For the sake simplicity, we provide a web based forms where
project managers, business units can submit their projects or change requests.
In order not to overwhelm the system, we have a project survey; this form completed by the project
team or business unit and provides all the relevant information about the project. The initial survey
is designed with rating system, depending on the selected entities, the project may score low or
high.
Low projects tend to be projects that either does not impact significant areas i.e. credit cards or
confidential data or indicative a project that even though it impacts significant areas has adopted the
correct minimum level for compliance.
In either case, the project is submitted to the information security team for review.
The picture below shows the function the team leader to allocate project to a team of consultants.
3

4. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
The project registration form
The form will be made available on your intranet to allow all business units regardless of their
geographical location to be able to access the form and complete the project registration.
4

5. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
The submitted project registration form
Once completed, the project results are displayed to the project team and an alert is sent to the
information security/compliance team with an indication of the result.
The Survey score indicates that the project has scored low.
The fields can be changed to accommodate the specific requirements of your organisation and the
risk ratings can be changed to also reflect to your risk appetite. The risk score can be high, medium
or low.
All projects submitted can be viewed by the information security/compliance team and they can
decide on which of the projects they wish to assess further. Traditionally, only medium and high risk
projects are further assessed.
If the information security/compliance team have several members that share work, we have the
functionality for the team leader role who will deal with allocating projects to teams members.
5

6. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
A project with a high rating
6

7. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Project register
The project register submitted to the information security or compliance team provides the team
with details of the project as well as the relevant for billing and time scale.
The solution provides the team with the flexibility to provide their services to business units in
remote locations and maintain the same level of assurance.
Each project will also contain the full documentation set for the project either on teamrooms or as
attachment, the documentations can include, PID, BRS, HLD and or LLD.
7

8. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
The risk assessment
Once the project has been assigned to a consultant, he or she would be able to pick up the project
and review the details as well as carry out the business impact assessment. This BIA framework can
incorporate your current risk management templates.
The project dashboard reveals to the
consultant the project details, the FRS
survey carried out and he or she can
initiate the Business impact assessment.
If the team operates a milestone approval
gate system, then the project milestones
will also be available to the consultant for
approval on due dates.
The reports are also available to the project
team for review and feedbacks.
The diagram below describes how
The consultant can add a new BIA as well as add stakeholders
8

9. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Project risk identification
When the Consultant goes through the project documentation and has his or her meetings with
them to identify the intentions and proposals from the project, the tool provide the option to
register the risks identified in the project.
The risk will identify the business impact, likelihood of occurrence as well as residual risks associated
with the risk. The risk will be stored on the project risk register and reviewed periodically at each
project milestone.
The project register will be available to projects and information security/compliance teams to
review and mitigate. As each mitigation is addressed and approved, the risk register will be updated
to ensure there are no stagnant risks.
9

10. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Information Asset risk assessment
Each information Asset is registered per business unit or organisation. The business unit can upload
their assets and either carry out their risk assessment based on Confidentiality, Integrity and
availability (CIA) using the standard risk matrix calculates the business impact assessment by
defining the business risk, likelihood of occurrence and residual risk.
The picture below shows how an information security/compliance team can view all the information
assets from each business unit. When each business logs on, they will only be able to see their own
assets whilst the information security/compliance can see the entire organisation.
If the information asset was completed by the business unit, the information security/compliance
team can review the information added and adjust accordingly or produce baseline policies for
dealing with specific data for example, fraud, confidential or business sensitive assets.
10

11. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Business impact assessment
The consultants can initiate their Business impact assessment for the project either by uploading
their own BIA documents or if teamrooms are used setup a link to the central document repository.
Once the BIA is uploaded,
11

12. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Risk assessment of assets
The information asset can be edited to suit its current status. Each Asset is given an Asset ID and
detail description provided including, data input and output as well as with whom the information
asset is being shared.
12

13. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Risk management dashboards
The tool provides several risk management dashboards depending on the desire of the organisation
The project dashboard
Asset list
13

14. www.riesgoriskmanagement.com info@riesgoriskmanagement.com
Policy dashboard
14