Risk assessments for government organisations
These are the fundamentals of a good risk assessment process.
About risk assessments
Risk assessments help government organisations in New Zealand to make sure they can understand, prioritise and manage security risks.
Setting up a successful risk assessment
At each step of the risk assessment process, it’s important to consult the right people, inside and outside of your organisation, and communicate effectively.
Understand how the system fits in your organisation so you can judge how important the information is.
Find the technical context of an information system to get a basic understanding of its current security position — this way, you can know whether a change makes that position better or worse.
Identify the risks
Create a full list of events that may prevent, degrade or delay your organisation in achieving its business objectives.
Analyse the risks
Carry out impact and likelihood assessments, listing the existing controls, to find the risk ratings for an information system.
Prioritise the risks
Find out which risks need to be evaluated and in which order of priority.
Evaluate the risks
The business owner must select an action and controls for each risk, and sign off on the risk assessment report — using it to manage the risks to the information system.
Next step — use the risk assessment report
The business owner makes sure the controls recommended in the risk assessment report are implemented.