| Document ID | ISMS-RISK-001 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | Quarterly, and whenever a new material risk is identified |
| ISO 27001 clauses | 6.1.2, 6.1.3, 8.2, 8.3 |
This register identifies the information-security risks to which
BackupExperts and its customers are exposed in the scope of the
ISMS, assesses each risk, and records the chosen
treatment. It feeds the Statement of Applicability
(planned) and is reviewed at every management review.
The methodology that produced this register — identification triggers,
scoring rules, evaluation criteria, treatment selection, and
re-assessment cadence — is documented in the
Risk Management Process. The summary
below is the at-a-glance lookup; the process document is canonical.
| Score | Likelihood | Impact |
|---|---|---|
| 1 — Low | Unlikely within a 12-month window | Minor: localised, recoverable, no customer or regulator notification |
| 2 — Medium | Plausible within a 12-month window | Material: customer notification, partial service disruption, recovery possible |
| 3 — High | Expected within a 12-month window without action | Severe: contractual breach, multi-customer impact, possible regulator notification |
| 4 — Critical | Already occurring or imminent | Existential: large-scale data loss, multiple-customer impact, fines or contract termination |
Risk score = Likelihood × Impact. Treatment threshold:
| ID | Risk | L | I | Score | Treatment | Owner | Target date | Status |
|---|---|---|---|---|---|---|---|---|
| R-001 | Single-person operation — separation of duties not achievable. Managing Director and ISO held by one person; no one to challenge decisions or independently verify privileged actions. | 3 | 3 | 9 | Mitigate via the compensating controls in InfoSec Policy §5.1: documented decisions, external review, customer challenge, two-person sign-off where customer-supplied. Long-term: appoint external ISO or split roles. | MD | plan to revisit at every quarterly review | Open — accepted with compensating controls |
| R-002 | No second off-site copy of customer backups beyond the basement. Loss of the basement (fire, theft, hardware failure cluster) loses all BackupExperts-side copies; restore would depend on customer-side local copies. | 2 | 4 | 8 | Mitigate by replicating MinIO contents to a Hetzner-hosted S3 endpoint (or equivalent) as a second off-site copy. | ISO | target: define within next quarter | Open |
| R-003 | Basement physical security gaps. Window in the server room (potential ingress); no climate control. Locked metal door + 24/7 CCTV (30-day retention) + self-hosted fire alarm partially mitigate. | 2 | 3 | 6 | Mitigate: (a) add window security (bar, security film, or relocate device line of sight); (b) install climate control or temperature/humidity monitoring with alerting; (c) periodic alarm and CCTV verification, logged in records. | ISO | (a) and (b) target Q3; (c) start immediately | Open |
| R-004 | No formally committed RPO and RTO. Backup Policy cites an SLA model but the numbers are not yet recorded; customers may have differing expectations. | 3 | 3 | 9 | Mitigate: pick a single committed RPO and RTO that BackupExperts can demonstrably meet, record in Continuity → RTO/RPO (planned), reflect in customer service contracts on next renewal. | MD | target: this quarter | Open |
| R-005 | No customer-facing Data Processing Agreement. GDPR Article 28 requires a written DPA. Hetzner DPA is in place; customer DPAs are not formalised. | 3 | 4 | 12 | Sequenced mitigation. Step 1 — first: complete the operational documentation that describes what personal data BackupExperts processes, where it is held, and how it is protected (asset inventory, data classification policy, cryptography policy, backup configuration runbook, customer offboarding runbook, privacy policy). Step 2 — next: Managing Director drafts the DPA using the operational docs as the source of truth, then has it reviewed by legal counsel. Step 3 — then: attach to each existing customer contract on next renewal (sooner if a customer requests). | MD | Step 1 in progress; Step 2 begins on Step 1 completion | Open |
| R-006 | No formal solo-unavailability cover (illness, holiday). Customer service degrades without a documented continuity plan; backups continue running unattended but restores cannot be served. | 4 | 3 | 12 | Mitigate: establish a written cover agreement with another MSP or a trusted technician; until in place, document accepted reduced availability in customer contracts and the BCP. | MD | high priority | Open |
| R-007 | Personal laptop (BYOD) used for BackupExperts work. Compensated by full-disk encryption (BitLocker), Microsoft Defender, MFA, and Vaultwarden — but no central device management, no remote wipe path, mixing of personal and professional data is possible. | 2 | 3 | 6 | Mitigate: (a) document the BYOD compensating controls explicitly in the Access Control Policy and Acceptable Use Policy (planned); (b) evaluate procuring a dedicated work laptop with Intune management. | ISO | (a) immediate; (b) within 12 months | Open |
| R-008 | No central identity provider — per-app accounts with per-app MFA. Increases the attack surface (each app must be hardened individually), complicates leaver / revocation processes, makes access review labour-intensive. | 2 | 3 | 6 | Mitigate: keep an inventory of all in-use accounts in Vaultwarden as the de-facto register. Long-term: evaluate self-hosted Authentik or similar to consolidate. | ISO | inventory now; consolidation within 12 months | Open |
| R-009 | No cyber liability insurance. Loss event has no insurance backstop; customer DPAs / RFPs increasingly expect insurance to be in force. | 2 | 4 | 8 | Transfer: procure a cyber liability policy at appropriate limit. | MD | initiate this quarter | Open |
| R-010 | No formal certificate-of-destruction process for decommissioned customer disks. Disks are wiped but the wipe is not documented per customer in a way that survives later inquiry. | 2 | 2 | 4 | Mitigate: introduce a one-page certificate-of-destruction template recording date, method (e.g. nwipe), serial numbers, technician (Operator), and store with the customer's onboarding records. | ISO | low effort — within one month | Open |
| R-011 | MinIO Object Lock coverage not yet verified per bucket. Backup Policy §3.3 requires immutability against ransomware; if Object Lock is not enabled on every bucket used by Veeam, a compromised credential could delete backups. | 3 | 4 | 12 | Mitigate now: audit each MinIO bucket used by Veeam, enable Object Lock with appropriate retention, document the bucket → customer mapping in /runbooks/backup-configuration (planned). | ISO | immediate | Open |
| R-012 | Awareness training for solo operator — no formal external training programme. | 2 | 2 | 4 | Mitigate: complete an external information security awareness course annually (e.g. an ISO 27001 self-paced course) and record completion in the training log (planned); formal annual self-attestation against this policy set. | ISO | annual cycle | Open |
| R-013 | No documented disposal procedure for BackupExperts-owned equipment at end of life (work laptop, basement hardware). | 1 | 3 | 3 | Mitigate: when the next device is decommissioned, follow the procedure in R-010, verify FDE on the laptop is enabled, and record disposal in the asset register. | ISO | on next disposal | Open |
| R-014 | Customer authorised-contact list completeness. Restore Procedure requires the requester to be on a documented list per customer; backfill may be incomplete for older customers. | 2 | 3 | 6 | Mitigate: audit each existing customer's onboarding document; backfill missing authorised-contact lists with each customer; treat any restore from a customer without a documented list as requiring Operator-defined fallback verification (call known number from contract). | ISO | within one quarter | Open |
(Empty at initial issue. Risks moved here are retained with closure
date and rationale; they are not deleted.)
Risks that are accepted (rather than mitigated, transferred, or
avoided) are documented in §3 with a written rationale, owner,
acceptance date, and review date. Acceptance of any risk scoring 10+
requires Managing Director approval, which — given the dual-role
acknowledgement — is a documented decision under InfoSec Policy §5.1.
The register is reviewed: