| Document ID | ISMS-PROC-001 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | Annually, and on every material change to the ISMS |
| Mandatory under | ISO/IEC 27001:2022 clauses 6.1.2 (risk assessment) and 6.1.3 (risk treatment) |
This procedure is the methodology behind the Risk Register.
It describes how BackupExperts identifies, analyses, evaluates, and
treats information-security risks, and how the results are recorded
and reviewed. It is the document that an auditor reads to confirm
that the register's content is the product of a defined, repeatable
process.
The Risk Register is the output of applying this procedure. The
Statement of Applicability is a
further output, mapping every risk-treatment decision against the
Annex A control catalogue.
Applies to every risk that could affect the confidentiality,
integrity, or availability of information assets within the
ISMS scope. Includes risks arising from BackupExperts'
operations, its customers' use of BackupExperts services,
sub-processors, and the regulatory environment.
┌──────────────────────────────────────────────────┐
│ 1. Identify → 2. Analyse → 3. Evaluate │
│ ↑ │
│ │ │
│ 6. Re-assess ← 5. Monitor ← 4. Treat │
└──────────────────────────────────────────────────┘
Approve at every step (§9)
| Phase | Output |
|---|---|
| 1. Identify | A candidate risk row added to the Risk Register §3 |
| 2. Analyse | Likelihood (L) and Impact (I) scored per §6 |
| 3. Evaluate | Risk Score (L × I) compared to acceptance criteria §7 |
| 4. Treat | Treatment option selected per §8 with a plan, owner, and target date |
| 5. Monitor | Treatment progress and residual risk reviewed at the cadence in §10 |
| 6. Re-assess | Risk re-scored if circumstances change; closed when fully treated |
| Role | Responsibility |
|---|---|
| Information Security Officer (ISO) | Owns this procedure; runs identification, analysis, evaluation, and proposes treatment. Maintains the Risk Register and Statement of Applicability. |
| Managing Director (MD) | Approves treatment decisions, accepts residual risk above defined thresholds (§7), and confirms the register at every quarterly review. |
| Risk owner | Named individual accountable for the chosen treatment of a specific risk. For BackupExperts at present (sole proprietor), the risk owner is the MD or ISO; the role is recorded explicitly per InfoSec Policy §5.1. |
| Trigger | Action |
|---|---|
| Quarterly review of the Risk Register | Walk through every existing entry; add new candidate risks surfaced since the last review. |
| New asset, supplier, or service line added | Identify risks specific to that addition before bringing it into operational use. |
| New incident occurs | Identify the underlying risk if not already in the register; raise as a candidate within the post-mortem (Cl. 10). |
| New regulatory or contractual requirement | Identify risks of non-compliance and treat. |
| Internal or external audit raises a finding | Each finding is treated as a candidate risk to be added. |
| Annual comprehensive re-identification | Walk the entire ISMS: scope, assets, suppliers, processes, threats. |
The ISO consults at minimum:
Each identified risk is added to Risk Register §3
with a unique ID (sequential R-NNN), a one-paragraph description,
the assets/services affected, and an initial owner. Identification
without immediate analysis is permitted; analysis (§6) follows in the
same review session where practicable.
Risks are scored on two scales: Likelihood (L) and Impact (I).
Scoring is recorded in the register and is repeatable: the same
ISO/MD looking at the same facts at a different time should arrive at
the same score within ±1 on each axis.
| Score | Likelihood label | Definition |
|---|---|---|
| 1 | Low | Unlikely to occur in the next 12 months given current controls. |
| 2 | Medium | Plausible within the next 12 months; would require a chain of unlikely events to occur. |
| 3 | High | Expected to occur within the next 12 months unless action is taken. |
| 4 | Critical | Already occurring or imminent. |
| Score | Impact label | Definition |
|---|---|---|
| 1 | Minor | Localised, fully recoverable, no customer or regulator notification required. |
| 2 | Material | Customer notification, partial service disruption, recoverable within RPO/RTO. |
| 3 | Severe | Contractual breach, multi-customer impact, regulator notification possible, recovery beyond RPO/RTO. |
| 4 | Existential | Large-scale data loss, multi-customer impact, fines, contract termination, or business viability threatened. |
Risk score = L × I. Range: 1 to 16. The score, the L value, and
the I value are all recorded in the register so the underlying
judgement is visible (a score of 6 from 2×3 is not the same problem
as 6 from 3×2).
When scoring, the ISO documents in a short note (in the register
entry, or in the quarterly review minutes) what made the L and I
take their value: which controls reduce L, which compensating
mechanisms cap I, what observed history bounded the score upward.
This makes scores defensible at audit and stable across re-scorings.
The acceptance criteria are:
| Score | Action |
|---|---|
| 1–4 | Accept with monitoring; review at the next quarterly cadence. |
| 5–9 | Mitigate; treatment plan with owner and target date required. |
| 10–12 | Mitigate now; treatment plan signed off by the MD. |
| 13–16 | Mitigate now; treatment plan signed off by the MD; stop-the-line if the risk involves customer data confidentiality or integrity. |
A risk above 5 that is accepted (rather than mitigated, transferred
or avoided) requires written rationale and MD approval, recorded in
the register entry, with a re-evaluation date.
For each risk above the acceptance threshold the ISO selects one of:
| Option | When to choose |
|---|---|
| Mitigate | Implement controls that reduce L, I, or both — preferred default. |
| Transfer | Move the risk to a third party (e.g. cyber liability insurance for residual financial impact). |
| Avoid | Stop or change the activity so the risk no longer applies (e.g. discontinue a feature whose risk cannot be brought to acceptable). |
| Accept | Formally accept the residual risk, with rationale and re-evaluation date. Permitted above the acceptance threshold only with MD approval (§7). |
Combinations are allowed (e.g. mitigate to bring score down + transfer
the residual via insurance).
Where the treatment is Mitigate, the ISO selects controls
sufficient to bring the residual score below the acceptance threshold.
Selection follows this hierarchy:
ISO/IEC 27001:2022 clause 6.1.3 c) requires that the treatment
controls be compared against Annex A to confirm that no necessary
control has been omitted. This comparison is the Statement of
Applicability, which is reviewed
whenever the Risk Register changes.
For each risk requiring treatment the register entry records:
The risk owner approves the treatment plan in writing in the register
entry. Where the risk owner is the MD (which, under sole-proprietor
operation, is most cases), the approval is the MD's signed-off
register entry, which the InfoSec Policy §5.1
compensating controls treat as a documented decision.
Outputs of this procedure that ISO/IEC 27001:2022 requires be retained:
| Record | Where it lives |
|---|---|
| Risk identification — list of identified risks, with owners | Risk Register §3 |
| Risk analysis — L, I and resulting Score per risk | Risk Register §3 |
| Risk evaluation — comparison against acceptance criteria | Risk Register §3 (Status column) |
| Treatment decisions and plans | Risk Register §3 (Treatment column) |
| Risk-owner approvals | Recorded inline in the register entry |
| Risk-acceptance decisions | Risk Register §5 |
| Statement of Applicability | /isms/statement-of-applicability |
| Quarterly review minutes | (planned — to be linked from the Risk Register and the management review records) |
Retention: at minimum three years, longer where law or contract
requires (per Backup Policy §5 and the
upcoming Records Retention (planned)).
| Activity | Cadence |
|---|---|
| Walk-through of the entire register | Quarterly (ISO) |
| Re-score every open risk | Quarterly, or immediately on any material change to controls, threats, or environment |
| Confirm treatments still on track | Quarterly |
| Annual comprehensive re-identification | Once per year, ahead of the annual management review |
| Update Statement of Applicability | Whenever a treatment is implemented, withdrawn, or a new control is brought in |
| Report to management review | At every management review (Cl. 9.3) — register status, completed treatments, residual risk distribution, top open risks |
To meet ISO/IEC 27001:2022 clause 6.1.2 b) (assessments must produce
consistent, valid, comparable results):