About risk assessments
Risk assessments help government organisations in New Zealand to make sure they can understand, prioritise and manage security risks.
Importance of business and technical contexts
To accurately identify, analyse, prioritise and manage the risks to an information system, you’ll need to know its:
Knowing these contexts allows you and the stakeholders to be sure you know the business objectives and the factors, both internal and external, that influence the risks. For these reasons, they are key starting points for risk assessments.
Importance of risk assessments
It’s essential that NZ government organisations assess the risks for all information technologies they adopt.
Information systems and risk assessments
Risk assessments, as outlined on Digital.govt.nz, focus on information systems in government organisations.
Setting up a successful risk assessment
Information systems are sets of technology components that work together to store, process and send information. Cloud services are also information systems.
Information system — National Institute of Standards and Technology
Risk assessments follow risk management standards and methodologies
The process for assessing risks is aligned with and based on the following risk management standards from Standards New Zealand.
- Risk management — Guidelines — AS/NZS ISO 31000:2018
- Information technology — Security techniques — Information security risk management — AS/NZS ISO/IEC 27005:2018
The risk assessment process also draws from methodologies in risk assessment from:
- Carnegie Mellon — Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro: Improving the information security risk assessment process
- Sherwood Applied Business Security Architecture (SABSA).
Utility links and page information