Risk assessments for government organisations
These are the fundamentals of a good risk assessment process.
-
About risk assessments
Risk assessments help government organisations in New Zealand to make sure they can understand, prioritise and manage security risks.
-
Setting up a successful risk assessment
At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.
-
Business context
Understand how the system fits in your organisation so you can judge how important the information is.
-
Technical context
Find the technical context of an information system to get a basic understanding of its current security position — this way, you can know whether a change makes that position better or worse.
-
Identify the risks
Create a full list of events that may prevent, degrade or delay your organisation in achieving its business objectives.
-
Analyse the risks
Carry out impact and likelihood assessments, listing the existing controls, to find the risk ratings for an information system.
-
Prioritise the risks
Find out which risks need to be evaluated and in which order of priority.
-
Evaluate the risks
The business owner must select an action and controls for each risk, and sign off on the risk assessment report — using it to manage the risks to the information system.
-
Next step — use the risk assessment report
The business owner makes sure the controls recommended in the risk assessment report are implemented.