Analyse the risks to an information system
Carry out impact and likelihood assessments, listing the existing controls, to find the risk ratings for an information system.
-
Using risk scales and matrices for your organisation
Use your organisation’s approved risk scales and matrices — if they’re in development or do not exist, use our examples to help in their development and approval.
-
Assess the impacts of risks happening
Examples of simple and detailed impact scales — the business owner decides which is appropriate to use.
-
Assess the likelihood of risks happening
Example of a likelihood scale and how the business owner and stakeholders can use quantitative information in assessing each risk’s likelihood.
-
Find the initial risk ratings
Use a risk matrix to add together the impact and likelihood assessments to find each risk’s initial rating — also called an overall or a gross rating.
-
List the existing controls for each risk
Run a workshop with the right stakeholders to identify the existing controls for an information system.
-
Find the final risk ratings
Using the list of existing controls, see how they do or do not affect the initial risk ratings. You’ll get the final risk ratings — also called residual or net ratings.