System Guides

The Information Security Risk Assessment and Treatment feature in CIMSNex allows users to assess and address risks associated with information assets based on the ISO 27005 methodology.

To complete the Information Security Risk Assessment (ISRA) based on the ISO 27005 methodology, Navigate to the "Planning" menu and hover over "Infosec Risk Assessment." Click on "Infosec Risk Assessment" to initiate a new assessment. A list of information assets will be displayed. Click the "Add" button next to the asset you want to assess and complere the fields as below.

1. ISRA ID: Unique identifier for the Information Security Risk Assessment.

2. Date: Date when the assessment is conducted.

3. Vulnerability: Select the vulnerability associated with the asset.

4. Risk: Select the risk due to the asset vulnerability

5. Risk Impact: Slect the impact rating of the risk

6. Risk Likelihood: Select the likelihood rating of the risk occurring.

7. Risk Rating: Calculated by the system based on the criteria below.

8. Risk Ranking: System assigned priority to the risk based on the criteria below.

9. Risk Owner: Input the responsible individual or department.

10. Risk Treatment: Choose a treatment option (Avoid, Retain, Reduce, Transfer/Share).

11. Reason for Retaining: Provide justification if retaining the risk.

12. Additional Description: Include any relevant details or comments.

13. Organizational Control - Select the applicable organisational control reference

14. People Control - Select the applicable People control reference

15. Physical Control - Select the applicable Physical control reference

16. Technological Control - Select the applicable Technological control reference

17. Attachment: Attach relevant files or documents.

18. Additional Details: Provide any further information or observations.

After submitting the assessment, the Risk Register will be generated with additional fields included to provide detailed information related to the threat that will expose the vulnerability and specific control references for each of the four control categories: Organizational Control Ref, People Control Ref, Physical Control Ref, and Technological Control Ref.

This Risk Register will serve as input to the Risk Treatment Planning feature, which constitutes the next step in the risk management process.

RISK ASSESSMENT CRITERIA

RISK TREATMENT PLANNING

The next feature is Infosec Risk Treatment Planning, conducted after the risk assessment to strategize the treatment of identified risks through the implementation of controls, such as policies and other measures. To create a risk treatment plan, follow these steps:

Navigate to the "Planning" menu. Hover over "Infosec Risk Assessment & Treatment" and click on "Infosec Risk Treatment Planning". Complete the form by selecting additional controls from the Control Reference dropdown as below

1. RTP ID: This is a unique identifier for the Risk Treatment Plan (RTP) being prepared. It helps track and reference the plan when needed.

2. Date: Specify the date when the risk treatment plan is being created or documented.

3. Control Reference: Select a control of your choice to apply inthe treatment of the risk.

4. People Control Action Plan: Specify the actions or steps to be taken regarding people-related controls to mitigate or transfer/share the identified risks. This can involve training programs, awareness campaigns, access control enhancements, or any other measures involving human factors.

5. AssignedTo: Identify the individual or department responsible for executing the risk treatment plan. This can be a specific role within the organization or a designated team responsible for overseeing the plan's implementation.

6. Deadline: Set a deadline for completing the risk treatment plan. This helps establish a timeframe for implementing the necessary actions and monitoring progress.

7. Frequency: If it is an ongoign action plan, select appropriate option

After submiting, the system will recommend several control plans you can apply to treat the risk. To view these action plans, Navigate to the "Planning" menu. Hover over "Infosec Risk Assessment & Treatment" and click on "View Risk Treatment Plans".

Verification of Risk Treatment Plans:

To verify the action plan, Navigate to the "Planning" menu, Hover over "Infosec Risk Assessment & Treatment" and click on "Infosec Risk Treatment Verification". A list of planned activities will be displayed and Select each activity one by one and click the "Verify" button

1. Verification Status: Indicate the status of the verification process for the risk treatment plans. 

2. Completion Date: Specify the date when the verification process for the risk treatment plans was completed. This helps establish a timeline for assessing the effectiveness of the implemented measures.

3. Completed by: Identify the individual or team responsible for conducting the verification process. This field helps attribute accountability for the verification activities.

4. Comment/Lesson Learnt: Provide any relevant comments or lessons learned during the verification process. This can include observations, feedback, or insights gained from evaluating the effectiveness of the risk treatment plans.

5. Training or Awareness Done: Specify whether any additional training or awareness initiatives were conducted as part of the verification process. This field helps assess the overall level of knowledge and preparedness within the organization.

6. Attachment: If applicable, include any supporting documents or evidence related to the verification process. This can include reports, assessment findings, or other relevant materials.

The list will not clear, allowing you to come back and reverify periodically as part of the review process.

RISK TREATMENT PLAN
To check the Risk Treatment Plan:

1. Navigate to the "Planning" menu.
2. Hover over "Infosec Risk Assessment & Treatment" and click on "View Risk Treatment Plan".
3. View all plans and their status of implementation in the generated report.