information risk environment

STUDENT ID XXXXXXXXXXXXXXX 1
Information Security Management System (ISMS) in
Modern Organizations
XXXXXXXXXXXXXXXX
Abstract
The information risk environment is constantly evolving as
a result of new technology and organizational transformations.
The UK government is undertaking an ambitious digital
transformation program. This study looked at historic
information security incidents and events that affected
governments and public bodies. This research informed the
need for an Information Risk Management in DE&S, a UK
government agency. ISO27000 and FAIR risk analysis
methodology is discussed in the context of DE&S. A
qualitative information risk assessment was carried out for
DE&S and control measures applied to mitigate these risks
based on ISO 27001 Annex A.
Key Words—Information Risk Management, IRM, Information
Security Management System, ISMS, Risk Analysis, ISO27000
I. INTRODUCTION
ORGANISATIONS big and small alike are increasingly
relying on information and specifically digital information to
conduct business, whether it be the traditional sectors such as
banking, online retailers or public agencies to even individual
households in the form of smart electricity meters and security
systems. Cheap smart devices and improvement in network
technologies have enabled millions of people to go online. For
example, data published by the Pew Research Centre [1] shows
that 81% of Americans owned a smart phone as of 2019. This is
an increase of 35% from the year 2011. These technologies have
opened-up a large source of information resource.
The UK government has been very good at realizing the
benefit of using these information resources to enhance its
services and undertakings through its 2012 Government
Digital Strategy [2]. As stated in the Government
Transformation Strategy, several government agencies and
departments have been transforming themselves into a digital
business. The Ministry of Defence (MoD) is one such agency
that has undergone a large digital transformation. Defence
Equipment and Support (DE&S) in particular, is a large entity
with-in the MoD to have undergone this transformation.
Cyber-attacks are now very common and a daily fixture in
news related to technology [3]. The increase in digitized data
has created new challenges in securing such data. Reliance on
information/data has transformed that very information into an
invaluable asset. Rapid digital transformation combined with
an increase in organizations embracing such transformations
result in increased vulnerabilities. Therefore, a robust
mechanism is required to understand and mitigate the risks
exposed by such vulnerabilities in the form of Information
Risk Management (IRM). There are several methodologies
that can be used to realize IRM. Information Security
Management Systems (ISMS) and Factor Analysis of
Information Risk (FAIR) are two such methodologies.
The aim of this article is to explore the ISMS, especially the
ISO 27000 standard and FAIR methodologies within the
context of an organization and its business. DE&S, having
undergone a large transformation program will require an IRM
to effectively manage information risks. The article will also
explore cyber events and incidents that have affected similar
organizations to justify the requirement of IRM pertinent to the
principles of information security, described as the CIA triad.
Moreover, the risk analysis conducted using these
methodologies will be reflected on; to illustrate the impact on
the business and to study and justify the treatment strategies
that address the identified risks.
II. D
EFENCE EQUIPMENT AND SUPPORT (DE&S)
DE&S is the primary acquisition agency of the MoD,
operating as an “Arm’s Length Body”. DE&S has its
headquarters in Bristol, with operations in several other
locations which include military bases and overseas
establishments. With a workforce of nearly 12000, DE&S runs
multibillion-pound projects across Air, Land and Maritime
domains procuring equipment for all elements of the British
Armed Forces, providing though life support [4]. For example,
high value acquisitions such as the F-35 Lightning at £8.4B to
low value commodity items. DE&S also manages the British
Forces Post Office (BFPO) and integrated logistical support
for its procurements.
By equipping the UK armed forces, DE&S provides an
invaluable service by contributing to the safeguarding of UK
national security and therefore, influencing the nation’s economic
prosperity and international diplomacy. The nature of

STUDENT ID XXXXXXXXXXXXXXXX
the business makes it a target for foreign state/extremist
organization espionage and increased public scrutiny in the
event of reputational/financial damage.
A key aspect of DE&S’s business is the through life support
of the equipment it procures. For example, if an aircraft is to
be procured, the organization is responsible for maintaining
auditable records on contracts, competitions and other
services. Moreover, some records such as key
Airworthiness/Design documents have a retention period as
dictated by regulations. This retention period could last years,
even after the disposal of certain equipment from the UK
forces, as they may still be used by allied forces. It must also
be noted that DE&S often collaborates on projects with other
allies in designing and building capabilities, which in turn
generates sensitive data that if breached can have negative
consequences for its allies as well.
As part of digital transformation DE &S employees work
remotely on a regular basis, utilizing video conferencing,
email and cloud technologies to share and collaborate. As well
as a technology change, this is also a cultural shift for its
employees in the way they work. Moreover, DE&S has
invested heavily in new remote working infrastructure such as
laptops and other smart devices.
III.
CYBER INCIDENTS AND EVENTS
We will look at several different cyber incidents and events
that have been recorded over time. The discussed incidents
and events are not directly reflective of the business that
DE&S provides but, they are a close representation in many
aspects such as attacks on public bodies and national security
incidents. Detailed reports on breaches and incidents against
organizations such as DE&S are rarely reported in the public
domain for obvious reasons. Therefore, it is expected that by
evaluating the security incidents below, we can build a picture
of the types of vulnerability and risks institutions like DE&S
maybe exposed to. The vulnerabilities discussed are mainly of
cyber incidents. However, it is important to highlight that
information can be compromised in several other ways. Such
as a power outage leading to loss of availability or physical
theft of information potentially leading to confidentiality,
integrity and availability breaches.
A. Examples of Cyber Incidents and Events
1) Web War I – Attack on the Estonian Government (2008)
Estonia is known as the most connected country in the
world. However, this also paved way for what some call the
first web war, the Web War I. As an ex-Soviet nation,
tensions broke out between ethnic Russians and Estonians
over the relocation of a bronze Russian soldier statue in
2007. The resulting riots and instability were exacerbated
by cyber-attacks on the Estonian infrastructure [5]. An
article in the Wired [6] describes the events as a
coordinated layer by layer attack starting with foot soldiers;
the script kiddies who copied malware and used ping
attacks, followed by botnets consisting of thousands of
compromised computers and finally, highly skilled hackers
using targeted attacks to spread propaganda and steal
2
information. The Estonian infrastructure was crippled, with
banking, news websites and critical government services
out of action. This attack on Estonia is an example of
malware and DDoS attacks albeit a very sophisticated one.
As it was on an unprecedented scale with excellent
coordination between the attackers, the government and IT
experts struggled to stop it. As one of the first incidents like
it, there were several lessons to be learned from it.
Estonian cyber capabilities and IT management are one of
the best in the world as a result of implementing good risk
management since the incident [7].
2) US Customs and Border Protection (2019)
This was a ransomware attack targeted at a US Customs and
Border Protection contractor which ultimately resulted in
breach of sensitive data [8]. The reputational damage caused
by this breach of security was ironic as the agency is supposed
to secure national borders. However, it showed the
vulnerability by failing to protect its own data. The agency
described the incident as the result of a policy breach by the
contractor Perceptic, where sensitive data was exported to the
contractor’s servers. The contractor did so to improve the
services it offered by testing new algorithms for number plate
recognition. Perceptics own servers were then compromised in
the attack and then asked for a ransom which was denied.
Sensitive data were released on the dark web as ransom
negotiations failed. Perceptics lost many contracts with the
Canadian government leading to revenue losses. Had the US
Customs and Border agency conducted a robust risk
assessment of its information security, measures could have
been put in place to avoid policy breaches and avoid
embarrassing reputational damages. As for the contractor, an
IRM would have identified strict processes, procedure and
responsible persons to ensure policy compliance and increase
risk awareness.
Another example of a ransomware attack happened in
Texas, where 22 small Texan town government services
were crippled. The attack was carried out by a single
person but caused significant disruption. The
vulnerability in this case was identified as the lack of IT
manpower resource as the governments were too small
and all the affected towns had the same IT vendor.
Again, an IRM would have effectively highlighted the
risks of single sourcing and lack of trained personnel.
IV. INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)
We have already reviewed several historic cyber incidents
and established that information risk must be managed in all
types of organizations. DE&S as an organization of national
importance is particularly vulnerable to the risks of
information loss. DE&S is very good at managing the safety
risks for the complicated equipment it procures. I believe that
the information risk management should be no different.
Within the safety culture a management system consists of the
following components:
1) Stakeholders – persons with invested interest and
competent in IRM or at-least risk management.

STUDENT ID
2) Management Plan – a documented strategy that identifies
all the requirements of such a system and guidance on how the
requirements will be met.
3) Risk Analysis and Evidence – risk analysis and other key
documented evidences to support arguments.
4) Review – continuous monitoring, learning from experience
and adapting to change.
The basic principle within any management system is to Plan,
Do, Check and Act. The internationally accepted structure for
ISMS is the ISO 27000 family of standards [10]. There are
several documents within this series that address various topics.
ISO 270001 is the key document that any organization looking to
improve or implement an ISMS must enact. It contains the
general overview, the processes, the requirements and the
guidance required for an ISMS. Other documents in the series
expand on the topics mentioned in ISO 270001. For example, ISO
27002 [11] expands on the control measures mentioned in Annex
A of the main document.
3
organizations of different kinds such as SMEs [12].
Several methodologies have been developed for conducting
risk analysis. The Factor Analysis of Risk Information (FAIR)
is a quantitative risk analysis methodology. FAIR approach is
one that uses a probabilistic take on the value and the size of
the loss to quantify the risk. This is particularly useful when
communicating risks to stakeholders that do not have specialist
knowledge of the business environment. A loss of $1M over 6
months provides a measurable and contextual evaluation that
can be understood by anyone compared to an evaluation of
“high risk” without any context.
Fig. 2. Visual representation of the FAIR analysis methodology.
Fig. 1. Flow diagram representing the ISO 27000 process in implementing an
ISMS. The blue box identifies the processes and forms the core. Boxes on the
left and the right identifies inputs and outputs at different stages of the
implementation [12].
The ISO 27000 set of standards provide a very high-level
directive and some guidance on how to implement an ISMS.
Although the standard is robust in providing a structure to the
ISMS, it does not specify the best methodologies for
implementing these. The best example is the Risk Analysis
involved in implementing the ISMS. These can be quantitative or
qualitative. There are no best methods identified for carrying out
risk analysis as it is dependent on several factors such as the
difference is perception of risks between two organizations or the
type of the organization. Beckers et al. concluded in their study
that ISMS is difficult to implement due to the complexity in
various document generation, especially considering
Fig 2 provides a visual representation of the FAIR analysis
methodology. On the left had side of the diagram, the loss event
frequency is calculated which is informed by the frequency of the
event that can cause the harm and the amount of harm that it can
cause given the level of measures that may be already in place.
Ideally, the figures should be informed by historic data on similar
losses. On the right-hand side of the diagram, the size of the loss,
is informed by the primary loss and the secondary risk. Primary
losses are the most direct losses and the secondary “risk” is a
potential residual risk, for e.g. legal proceedings caused by the
primary loss. The FAIR methodology also tries to provide the
user more specific pointers on evaluating the risk. For example,
FAIR analysis requires the user to scope the risk using specific
threat community, type and effect scenarios, enabling a level of
analysis to be carried before focusing on the actual risks. Loss
Event Frequencies and Loss Magnitudes can be assessed for these
risks and modelled for multiple scenarios
[15]. More analysis can be conducted using Monte Carlo plots
to visualize the frequency and the magnitude of the risks that
are most relevant.
V.
RISK ANALYSIS
Risk assessment was carried out and controls were then
applied in accordance with ISO 27001 Annex A [14]. The risk
analysis is presented in the annexure of this article.

STUDENT ID
Risk Analysis Scores
20
15
10
5 0
Pre Treatment Score Treated Score
Fig. 3. Results of the risk analysis showing how the risk scores have dropped
after applying specific controls.
VI. CRITICAL EVALUATION
It was decided that a qualitative risk assessment should be
carried out to understand the immediate risks involved. Once
they have been identified, the stakeholders can use those risks
to build an elaborate risk picture and conduct assessments.
One of the highest risks that was identified was the Malware
attacks. As shown in Fig 3, applying ISO27000 controls have
reduced the risk score. However, these scores do not translate
into a measurable impact. For example, a control suggested to
reduce the risk of Malware attacks was to run an awareness
campaign which might be expensive. How can an organization
then measure the effect of this control? Applying FAIR to
these top risks will enable a quantitative assessment to be
carried out and assess the risk using informed data.
A recurring control measure applicable to most risks is A16
Information Risk and Security Management which covers aspects
such as incident reporting and learning from experience. To
enable this, it is recommended that a competent person is
identified as the key ISMS facilitator who is then able to manage
aspects of the ISMS and facilitate periodic review in the form of
working groups or expert panels.
ISO27000 enables a good strategy and satisfactory direction
in setting up an ISMS. This highlights the importance of the
application of ISMS with the investment of senior leadership
and competent personnel. Moreover, I believe that combining
ISMS with other risk analysis methodologies can be beneficial
in creating a robust ISMS. For example, the open group
guidance on combining ISO27005 with FAIR [13], provides
excellent guidance on how FARI can be combined with ISO
27000.
Despite the lack of detailed guidance in ISO27000, I found
the control mechanism presented in Annex A of ISO27000 to
be extremely useful and informative. FAIR on the other hand
had many sophisticated tools and techniques but lacks in
simplicity.
A
NNEX
Annex A: List of Assets
Annex B: Risk Identification and Initial Assessment
Annex C: Risk Matrix
Annex D: Risk Assessment
4
Annex E: Risk Treatment
R
EFERENCES

[1] Anon, “Mobile Fact Sheet,” PEW RESEARCH CENTRE.
[online],Available at:
https://www.pewresearch.org/internet/fact-sheet/mobile/
[Accessed 15 April 2020].
[2] Anon, “Government Transformation Strategy”, 2012,UK
Government, [online], Available at:

https://assets.publishing.service.gov.uk/government/uploads
/system/uploads/attachment_data/file/590199/Government_
Transformation_Strategy.pdf
[Accessed 15 April 2020].
[3] Martin, A., “Cyber Security Breaches Hit Unprecedented
Highs In UK Defence Industry”.2020,
[online] SkyNews Available at:
https://news.sky.com/story/cyber-security-breaches-hitunprecedented-highs-in-uk-defence-industry-11903520
[Accessed 15 April 2020].
[4] Equipping and Supporting the UK’s armed forces for
operations now and in the future Defence Equipment and
Support. (2019). [online] Available at:
https://assets.publishing.service.gov.uk/government/uploads
/system/uploads/attachment_data/file/816278/20190708_D
ES_Corp-plan-2019-FINAL_redacted.pdf
[Accessed 13
Nov. 2019].

[5] Gazula, M. (2017). Cyber Warfare Conflict Analysis and
Case Studies. [online] pp.68–70. Available at:
http://web.mit.edu/smadnick/www/wp/2017-10.pdf
[Accessed 2020 Apr. 15AD].
[6] Davis, J. (2007). Hackers Take Down the Most Wired
Country in Europe. [online] Wired. Available
[Accessed
at:
17
https://www.wired.com/2007/08/ff-estonia/
Apr. 2020].
[7] McGuinness, D. (2017). How a cyber-attack transformed
Estonia. BBC News. [online] 27 Apr. Available at:
https://www.bbc.co.uk/news/world-europe-45747472
Frulingher, J. (2020). What is a cyber-attack? Recent
[8]

examples show disturbing trends. [online] CSO. Available
at:
https://www.csoonline.com/article/3237324/what-is-acyber-attack-recent-examples-show-disturbing-trends.html
[Accessed 17 Apr. 2020].
[9] Zaidatulnajla Hamdi et al 2019 J. Phys.: Conf. Ser. 1339
012103 Available at:
https://iopscience-ioporg.ezproxy.uwe.ac.uk/article/10.1088/1742-
6596/1339/1/012103/pdf
[Accessed 17 Apr. 2020].
[10] Information technology — Security techniques — Code of
practice for information security controls (ISO/IEC
27002:2013). (2017). Available at:
file:///C:/Users/alish/Downloads/BS%20EN%20ISOIEC%2027002-2017–[2020-04-14–10-02-42%20PM].pdf
[Accessed 15 Apr. 2020].
[11] Beckers, K., Faßbender, S., Heisel, M. and Schmidt, H.
(2012). Using Security Requirements Engineering
Approaches to Support ISO 27001 Information Security
Management Systems Development and
Documentation.
IEEE, [online] (DOI
10.1109/ARES.2012.35). Available at:
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=
6329189 [Accessed 20 Apr. 2020].
[12] FAIR -ISO/IEC 27005 Cookbook. (2010). [online] The Open
Group. Available at:
https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf
[Accessed 17 Apr. 2020].
[13] Information technology— Security techniques —
Information security management systems — Requirements
(ISO/IEC 27001:2013). (2017). Available at:
file:///C:/Users/alish/Downloads/BS%20EN%20ISOIEC%2027001-2017–[2020-04-16–09-30-13%20PM].pdf
[Accessed 15 Apr. 2020].
[14] Jones, J. (2005). An Introduction to Factor Analysis of
Information Risk (FAIR). Risk Management Insight

STUDENT ID 5
ANNEX A: LIST OF ASSETS
Key DE&S assets were identified based on information available in the public domain. The most valuable asset for DE&S is the data it holds
across the business and the importance of its confidentiality. Several “risks” were then identified, based on historical events and vulnerability in
relation to these key assets. After the initial assessment, a score was assigned to each risk within in the context of the asset vulnerability,
probability and severity of the risk using a risk matrix

ID Asset Owner Information Asset Type
A1 Datacenter MoD/Subcontractors Key IT infrastructure which enables the
organization to function by enabling access to its
data and ensuring business continuity by enabling
back-ups. Infrastructure owned by MoD; however,
services are provided by reputed sub-contractors.
Data and Hardware
A2 IT Network MoD/Subcontractors Network infrastructure including servers, routers Communication/Data/Hardware
etc…
A3 Website MoD Multiple websites enabling key communications
with the public and other businesses. For e.g.
communication on recruitment campaigns,
maintaining corporate image etc…
Communication
A4 IT Hardware MoD Key IT equipment such as laptops, mobile devices Technology/Hardware/Communication
and bespoke secure standalone terminals for
sensitive use. Enables the organization to function,
forms part of business continuity.
A5 Site Protection
Equipment
MoD Equipment used to ensure site security, such as
communication masts, CCTVs and detectors.
Ensures resilience.
Technology/Hardware

STUDENT ID 6
ID Asset Owner Information Asset Type

A6 Contracts/Business
Documents
MoD Key documents such as contracts, safety records,
HR records and technical documents, engineering
drawings etc…
Data
A7 Bespoke Software MoD Bespoke software used for business, for e.g. Technological/ Communication/ Data
logistical software, technical analysis, issuing
contracts and people management.
A8 Financial Record MoD Sensitive multinational projects costing billions and
the 5
th largest operating defence budget in world
dictates sensitive financial data.
Data

STUDENT ID 7
ANNEX B: RISK IDENTIFICATION AND INITIAL ASSESSMENT
Risk Risk Threat ASSET ID C/I/A Assessment
ID

R1 Malware Loss of confidential

data
Legal implications,
Reputational Damage
National Security
breach
A1-A10 C/I/A Malware can have a significant impact
on the business and majority of the
assets identified. Loss of data such as
contract will have big impacts on the
business and the national security.
R2 MITM Loss of confidential A1/A6/A9/A10 C/I MIMT can cause significant harm if
Attack data,
confidentiality is lost. Legal
Financial loss
IP loss implications and the following
reputational damage will be significant.
R3 Insider
Attack
Loss of confidential

data
Legal implications,
Reputational Damage
National Security
breach
A1/A2/A4/A5/A6/A8/A10 C/I/A Insider threats are probably the most
likely risks considering the size of the
organization. The threat of an insider
attack will be hard to damage control if
it has slipped through existing control
measures. It could cause significant
damages including financial and legal.

8

Risk
ID
Risk Threat ASSET ID C/I/A Assessment
R7 Natural Infrastructure damage A1/A2/A4/A5 A Natural calamities, if not risk assessed
Calamities Impact on business can cause issues relating to the
continuity availability of data and information.
Data Loss Damage to infrastructure is also a risk
Financial loss resulting in information loss.

R4 Social Undetected espionage A5/A6/A8/A10 C/I Social engineering and Insider Attack
Engineering
Loss of confidential go hand in hand. The threat types are
data very similar. Significant risk of
Compromise security continued espionage and employee
infrastructure welfare risk. Undetected security
National Security breaches will also lead to more
breach significant loss.
R5 Human
Damage to IT A1/A2/A4/A5/A6/A8/A10 C/I/A Human error can cause significant
Error infrastructure issues. Example accidentally plugging
Compromised security in compromised USB, leading to
settings potential other risks such as malware
Financial implications attacks. Unintended loss of sensitive
data, compromise of national security
information. All these could lead to
safety issues and financial/legal
implications.
R6 Phishing
Loss of confidential A6/A8/A10 C/I Phishing attacks are a significant risk
data because of its perceived reachability to
Financial loss mass targets and ease of operation.
Security infrastructure Significant occurrences can amount to
compromise confidential data loss, financial
Personal/Mental implications and legal challenges.
distress

9
Risk Risk Threat ASSET ID C/I/A Assessment
ID
R8 Power Hardware damage A1/A2/A5 A Relatively low risk. Power issues could
Outage
Loss of data cause hardware damage and availability
Financial implications issues if for example data center goes
offline.
R9 Physical
Loss of data A4/A5/A6/A8/A10 C/I/A Physical theft is a serious risk, however,
Theft
Reputational damage a low threat with the control already in
Financial loss
Legal implications place. Physical theft can also be
National Security attributed to Human Error, Social
breach.
Engineering and Insider Attack. So,
addressing those risks should
effectively control this risk.

ANNEX C: RISK MATRIX

(proba
bility)
1
Low-Med
Low
2
Risk
3
o f Medium
Likelih
ood
4
Med-High
5
High
Likelihood * Impact = 1 2 3 4 5
Low Low-Med Medium Med-High High
1 2 3 4 5
2 4 6 8 10
3 6 9 12 15
4 8 12 16 20
5 10 15 20 25

Risk
10
Impact to the business (Severity)
The above risk matrix will be used to assess the severity of the risks identified. Risks will be scored according to the severity and the
probability of occurrence.

11
ANNEX D: RISK ASSESSMENT

Risk
ID
Risk ASSET ID Probability Severity Assessed Risk
Level
Score Justification
R1 Malware A1-A10 4 4 16 Malware attacks are increasingly
Med – High common. Increased probability of
attack from foreign states, allied
states and hacktivists.
R2 MITM A1/A6/A9/A10
Attack
3 4 12 Increase in flexible working.
Med Increased probability of MIMT.
R3 Insider A1/A2/A4/A5/A6/A8/A10
Attack
4 4 16
Med -High
Large number of employees
increasing chances of intentional
insider threat as well as accidental.
R4 Social A5/A6/A8/A10
Engineerin
g
3 3 9 Increase in recruitment. New joiners
Med unaware of policy, unsecured social
presence and unintended risks.
R5 Human A1/A2/A4/A5/A6/A8/A10
Error
2 2 4
Low-Med
Increase in new joiners, unaware of
company policies. Increase in
accidental use of unauthorized
devices such as USB phone charging.
R6 Phishing A6/A8/A10 4 3 12 Increased probability, however
Low-Med limited severity due to active
communication on phishing attacks.

12

Risk
ID
Risk ASSET ID Probability Severity Assessed Risk
Level
Score Justification
R7 Natural
Calamities
A1/A2/A4/A5 1 2 2
Low
Low likelihood. Business continuity
plan provides an initial risk
mitigation.
R8 Power
Outage
A1/A2/A5 1 2 2 Low likelihood with business
Low continuity plans in place.
R9 Physical
Theft
A4/A5/A6/A8/A10 1 3 3
Low-Med
Low likelihood, employees vetted,
and unauthorized access is strictly
controlled as a secure site.

13
ANNEX E: RISK TREATMENT

Risk Risk ASSET Assessed ISO 27000 Controls Treatment Treated Treated Treated
ID ID Risk Level Probability Severity Risk
R1 Malware A1-
A10
16 A12.2.1 Protection from Malware Mitigate 3 4 12
Med – High A13.2.3 Electronic Messaging
A14.1.2 Securing applications services
on public networks
A16 Information Security Incident
Management
Med Med -High Med
High

Recommendations In line with the above controls as recommended by the ISO standard it is recommended that
a policy be put in place to mitigate risks of accessing external files, software, installation of unauthorized
software and enable scanning of email and web pages.
it is also best practice to report incidents, set up communication chains and use learning from experience as
a strategy.
run campaigns on best practices for media handling and conduct regular analysis on security incidents.

R2 MITM A1/A6/ 12 A11.2 Equipment Mitigate 2 3 6
Attack A9/A10 Med A13.1 Network Security Management
A14.1.2 Securing applications services
on public networks
A16 Information Security and Incident
Management
Low-Med Med Low
Med

14

Risk Risk ASSET Assessed ISO 27000 Controls Treatment Treated Treated
ID ID Risk Level Probability Severity
Recommendations In line with the controls listed above, it is recommended that
all critical hardware and equipment are maintained accordingly

Treated
Risk
were applicable, transfer of data is in accordance with relevant policies. For example, use of VPN or
encryption or policy against using public unsecure networks for sensitive file transfer.

R3 Insider A1/A2/ 16 A7 Human Resource Security Mitigate 3 4
Attack A4/A5/ Med -High Med Med-High
A8.3 Media Handling
A6/A8/
A10
A9 Access Control
A12.2 Protection from Malware
A13. 2 Information Transfer

12
MedHigh
A16 Information Security and Incident
Management
Recommendations It is recommended that
new employees are vetted accordingly
review security clearance on a periodic basis
it is also good practice to control access to sensitive data/areas
run awareness campaigns on media handling

R4 Social A5/A6/ 9 A7 Human Resource Security (A7.2.1 Mitigate 2 2
Engineering A8/A10 Med awareness, education and training)
A8 information Classification
A9 User Access Management
Low-Med Low-Med

4
Med

15

Risk
ID
Risk ASSET
ID
Assessed
Risk Level
ISO 27000 Controls Treatment Treated
Probability
Treated
Severity
Treated
Risk
A13 Information Transfer
Recommendations It is recommended that
awareness, education and training are provided to employees on the risks of social engineering.
classify information and use access control to limit risks in the event of a social engineering scenario.
ensure procedures are in place for protecting sensitive data during transfer or when using for communication
and other business purposes.
R5 Human A1/A2/
Error A4/A5/
A6/A8/
A10
4
Low-Med
Mitigate 2
Low
1
Low
2
Low
A13.1 Network Security Management
A16 Information Security Incident
Management
Recommendations It is recommended that
Clear procedures for information handling and operations are developed
Increase awareness and communication of procedures and best practices
Controlled change management is in place and communicated accordingly
R6 Phishing A6/A8/
A10
12
Low-Med
Mitigate
Transfer
3
Med
3
Med
6
Low
Med

A12.1 Operational Procedures and Responsibilities A13 Communication Security A14 Security Requirements of Information Systems
16
Risk Risk ASSET Assessed ISO 27000 Controls Treatment Treated Treated Treated
ID ID Risk Level Probability Severity Risk

Recommendations
R7 Natural
Calamities
It is recommended that
All communication security aspects are reviewed
Engage with network and application providers to identify electronic phishing scams
Enable incident reporting and logging
1
Low
2
Low
2
Low
Recommendations It is recommended that
Business continuity plan ensure a procedure in place for information availability
Identify and test means of communications
Review physical site security, e.g. data centre security
R8 Power
Outage
A1/A2/
A5
2
Low
A12.3.1. Information Backup
A17 Information Security Aspects of
Business Continuity Management
Transfer 1
Low
2
Low
2
Low
Recommendations It is recommended that
Business continuity plan ensure a procedure in place for information availability
Identify and test means of communications
Review physical site security, e.g. data centre security

A1/A2/ 2 A11 Physical and Environmental Mitigate A4/A5
Low Security A12.3.1. Information Backup
A17 Information Security Aspects of
Business Continuity Management

17

Risk
ID
Risk ASSET
ID
Assessed
Risk Level
ISO 27000 Controls Treatment Treated
Probability
Treated
Severity
Treated
Risk
R9 Physical A4/A5/ 3 A11 Physical and Environmental Mitigate 1 1 1
Theft A6/A8/
Low-Med Security Transfer Low Low Low
A10
Recommendations It is recommended that
Risk is communicated with site security
Explore the possibility of site security services as a key stakeholder in IRM