Write a risk assessment for It risk register
IT Risk Register Risk Assessment for Information Security and Operational Risk Management
Assessment Date: [DATE]
Assessor: [ASSESSOR NAME]
Department/Area: [DEPARTMENT/AREA]
Review Date: [REVIEW DATE]
1. Assessment Scope
This risk assessment covers the identification, evaluation, and control of information security and operational risks associated with the operation, administration, support, and use of IT systems, networks, applications, endpoints, cloud services, data repositories, and related business processes. The scope includes routine operations, non-routine activities such as maintenance, patching, backups, incident response, system changes, and recovery activities, as well as foreseeable abnormal conditions such as cyber incidents, service outages, power loss, remote access failures, and extreme workload periods. It applies to employees, contractors, service providers, and other authorized users who access or support IT assets, and it considers impacts to business operations, data confidentiality, integrity, availability, and regulatory compliance. Exclusions from this assessment are physical workplace hazards unrelated to IT operations, product development risk outside operational deployment, and legal or contractual matters that do not directly affect information security or operational risk controls. [2] [5] [4]
2. Risk Assessment Methodology
This assessment uses a structured qualitative risk assessment approach consistent with hazard identification, risk analysis, risk evaluation, and risk control principles. Hazards were identified by considering the full lifecycle of IT activities, routine and non-routine tasks, foreseeable abnormal conditions, affected stakeholders, and relevant compliance obligations. Each hazard was evaluated using a 5x5-style qualitative matrix based on likelihood and severity, with risk ratings expressed as Low, Medium, High, or Extreme. Controls were selected using the hierarchy of controls, prioritizing elimination and substitution where feasible, followed by engineering controls, administrative controls, and personal protective equipment where applicable. Residual risk was estimated after controls were applied to determine whether additional action is required and whether the remaining risk is acceptable for ongoing operations. [7] [9] [10]
3. Risk Matrix Reference
The following matrix is used to evaluate risk levels based on likelihood and severity:
| Likelihood | ||||||
|---|---|---|---|---|---|---|
| Rare | Unlikely | Possible | Likely | Almost Certain | ||
| Severity | Catastrophic | Low | Low | Low | Medium | Medium |
| Major | Low | Low | Medium | Medium | High | |
| Moderate | Low | Medium | Medium | High | High | |
| Minor | Medium | Medium | High | High | Extreme | |
| Negligible | Medium | High | High | Extreme | Extreme |
4. Hazard Identification and Risk Evaluation
1. Unauthorized access to systems, applications, or data through weak authentication, credential theft, phishing, or account compromise.
Potential Consequences: Confidential information may be exposed, altered, or deleted; attackers may gain persistence in the environment; business operations may be disrupted; regulatory breaches and reputational damage may occur. [7] [6] [11]
Affected Persons: Employees, contractors, customers, business partners, IT administrators, and the organization as a whole.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Likely | Major | Extreme |
Control Measures
- Eliminate unnecessary accounts, shared credentials, and dormant access paths.
- Substitute legacy authentication methods with phishing-resistant multi-factor authentication and strong identity governance.
- Implement engineering controls such as MFA, privileged access management, conditional access, password vaulting, and session timeout controls.
- Apply administrative controls including access reviews, least-privilege provisioning, security awareness training, phishing simulations, and formal joiner-mover-leaver procedures.
- Use secure tokens or hardware authenticators for privileged users where appropriate.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
2. Malware, ransomware, or other malicious code introduced through email, web browsing, removable media, or compromised software supply chains.
Potential Consequences: Systems may be encrypted, corrupted, or rendered unavailable; data loss may occur; recovery costs and downtime may be significant; critical services may be interrupted.
Affected Persons: All users of IT systems, operational teams, customers relying on services, and IT support personnel.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Likely | Catastrophic | Extreme |
Control Measures
- Eliminate unsupported software and unauthorized removable media use.
- Substitute high-risk manual file transfer methods with managed secure file transfer and approved collaboration platforms.
- Deploy engineering controls including endpoint detection and response, email filtering, application allowlisting, network segmentation, immutable backups, and malware scanning.
- Use administrative controls such as patch management, backup testing, incident response playbooks, and user training on suspicious attachments and links.
- Apply restricted administrative access and hardened privileged workstations.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
3. Data loss, corruption, or unauthorized modification caused by system failure, human error, poor change control, or inadequate backup and recovery processes.
Potential Consequences: Records may be incomplete or inaccurate; services may be interrupted; financial, legal, and operational decisions may be based on incorrect information; recovery may be delayed.
Affected Persons: Business users, IT operations staff, management, auditors, and external stakeholders dependent on accurate records.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
Control Measures
- Eliminate single points of failure where feasible through redundancy and resilient architecture.
- Substitute manual, error-prone deployment methods with automated, version-controlled change and release processes.
- Implement engineering controls such as backup automation, replication, integrity checks, access logging, and configuration management tools.
- Apply administrative controls including change approval, segregation of duties, backup retention rules, restore testing, and data validation procedures.
- Restrict privileged actions to authorized personnel and require dual review for high-risk changes.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
4. Unplanned service outage or degraded availability due to infrastructure failure, cloud provider disruption, network interruption, or capacity exhaustion.
Potential Consequences: Users may be unable to access critical applications or data; service-level commitments may be missed; operational delays and financial losses may occur; emergency processes may be affected.
Affected Persons: Employees, customers, suppliers, IT support teams, and business continuity stakeholders.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
Control Measures
- Eliminate avoidable dependencies on single systems or single providers where practical.
- Substitute fragile manual recovery arrangements with tested business continuity and disaster recovery solutions.
- Use engineering controls such as redundancy, failover, load balancing, monitoring, capacity management, and geographically separated backups.
- Apply administrative controls including service continuity planning, escalation procedures, maintenance windows, and recovery time objective tracking.
- Maintain secure remote access and emergency communication procedures for continuity events.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
5. Misconfiguration of cloud services, firewalls, identity settings, storage permissions, or network controls leading to exposure of systems or data.
Potential Consequences: Sensitive data may be publicly exposed; unauthorized access may occur; compliance failures and incident response costs may increase.
Affected Persons: Data subjects, system users, administrators, and the organization.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Likely | Major | Extreme |
Control Measures
- Eliminate manual configuration drift through infrastructure-as-code and standardized secure baselines.
- Substitute ad hoc configuration changes with approved templates and hardened reference architectures.
- Implement engineering controls such as configuration monitoring, policy-as-code, secure defaults, and automated drift detection.
- Apply administrative controls including peer review, change authorization, cloud security standards, and periodic configuration audits.
- Limit administrative privileges and require just-in-time access for sensitive changes.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
6. Insider threat, whether malicious or accidental, including misuse of access, data exfiltration, or unsafe handling of sensitive information.
Potential Consequences: Confidential data may be disclosed, altered, or destroyed; fraud may occur; trust and compliance may be compromised.
Affected Persons: Employees, contractors, customers, and the organization.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
Control Measures
- Eliminate unnecessary access to sensitive data and systems.
- Substitute broad access models with role-based access and data minimization.
- Implement engineering controls such as logging, data loss prevention, privileged session recording, and segregation of duties.
- Apply administrative controls including background screening where permitted, acceptable use rules, confidentiality obligations, monitoring, and disciplinary procedures.
- Use targeted awareness training for handling sensitive data and reporting suspicious behavior.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
7. Third-party and supply chain risk arising from vendors, managed service providers, software suppliers, or outsourced support with inadequate security or resilience.
Potential Consequences: Compromised suppliers may introduce malware, data exposure, service disruption, or compliance failures into the organization.
Affected Persons: Internal users, customers, business partners, procurement teams, and IT operations.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
Control Measures
- Eliminate unnecessary third-party connections and unused integrations.
- Substitute high-risk suppliers with vendors that meet defined security and resilience requirements where feasible.
- Implement engineering controls such as network segmentation, API security controls, vendor access restrictions, and monitoring of third-party activity.
- Apply administrative controls including due diligence, contractual security clauses, right-to-audit provisions, periodic reassessment, and offboarding procedures.
- Require vendors to report incidents promptly and maintain minimum security standards aligned to organizational policy.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
8. Non-compliance with information security, privacy, operational resilience, record retention, and sector-specific regulatory requirements.
Potential Consequences: The organization may face legal penalties, enforcement action, contractual breach, audit findings, loss of customer confidence, and mandatory remediation costs.
Affected Persons: The organization, compliance teams, management, customers, and regulated stakeholders.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Major | High |
Control Measures
- Eliminate undocumented or uncontrolled processes that cannot demonstrate compliance.
- Substitute informal compliance tracking with a formal control register and evidence repository.
- Implement engineering controls such as centralized logging, retention controls, access records, and automated compliance reporting where possible.
- Apply administrative controls including policy management, legal and regulatory review, internal audits, corrective action tracking, and management sign-off.
- Maintain staff training on applicable standards, privacy obligations, and incident reporting requirements.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Unlikely | Major | High |
9. Human error during routine support, maintenance, patching, backup restoration, or emergency recovery activities.
Potential Consequences: Incorrect changes may cause outages, data loss, security gaps, or prolonged recovery times; errors may propagate across systems.
Affected Persons: IT administrators, support staff, business users, and dependent services.
Initial Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Likely | Moderate | High |
Control Measures
- Eliminate unnecessary manual steps through automation and standard operating procedures.
- Substitute high-risk ad hoc work with scripted, tested, and peer-reviewed procedures.
- Implement engineering controls such as change validation, rollback capability, backup verification, and environment separation.
- Apply administrative controls including competency checks, pre-task briefings, checklists, peer review, and post-change verification.
- Restrict elevated access during maintenance to approved windows and authorized personnel only.
Residual Risk Assessment
| Likelihood | Severity | Risk Rating |
|---|---|---|
| Possible | Moderate | Medium |
5. General Control Measures
- Maintain a formal information security governance framework with documented policies, standards, procedures, and assigned responsibilities.
Use a control register to map risks to controls, owners, review dates, and evidence of implementation. Ensure policies cover access control, change management, incident response, backup, logging, vendor management, and acceptable use. [1] [12]
- Apply least privilege and segregation of duties across all critical systems and administrative functions.
Review privileged access regularly, remove unnecessary rights promptly, and separate development, testing, approval, and production support duties where feasible.
- Implement layered technical safeguards for prevention, detection, and recovery.
Use secure configuration baselines, patching, endpoint protection, network segmentation, logging, monitoring, backup, and tested restoration capabilities.
- Require structured change management for all material system, configuration, and process changes.
Assess risk before changes, obtain approvals, test changes in non-production environments, define rollback plans, and verify outcomes after implementation.
- Promote security awareness and reporting culture across the organization.
Train users to recognize phishing, social engineering, suspicious activity, and data handling requirements, and ensure incidents and near misses are reported promptly.
6. Emergency Preparedness
- Maintain an incident response plan for cyber events that defines triage, containment, eradication, recovery, communications, evidence preservation, and escalation criteria. The plan should include ransomware, account compromise, data breach, and malware scenarios. [4] [7]
- Maintain tested backup restoration and disaster recovery procedures with defined recovery time objectives and recovery point objectives for critical systems. Restoration tests should confirm that backups are usable and that critical services can be recovered within acceptable timeframes. [4]
- Establish outage communication procedures for internal users, customers, vendors, and management so that service interruptions, expected restoration times, and workarounds are communicated quickly and consistently.
- Define escalation paths for suspected privacy breaches, regulatory non-compliance, and third-party incidents so that legal, compliance, security, and operational leaders are notified without delay.
- Prepare contingency arrangements for remote work, alternate access, and manual fallback processes where business operations must continue during system unavailability or security containment actions.
7. Training Requirements
- Cybersecurity Awareness Training: All users should receive training on phishing recognition, password hygiene, multi-factor authentication, safe browsing, suspicious attachments, social engineering, and prompt incident reporting. Training should be refreshed regularly and reinforced with simulated phishing exercises.
- Recognize and report suspicious emails and messages.
- Protect credentials and never share authentication factors.
- Verify requests for sensitive actions through trusted channels.
- Privileged User and Administrator Training: Administrators and support personnel should be trained on secure configuration, privileged access handling, logging, change control, backup verification, and recovery procedures. Training should emphasize the consequences of misconfiguration and the need for peer review and rollback planning.
- Use approved administrative tools and hardened workstations.
- Follow change approval and testing requirements.
- Document and verify all high-risk actions.
- Incident Response and Escalation Training: Relevant staff should be trained to recognize cyber incidents, preserve evidence, isolate affected systems, notify the correct stakeholders, and follow the incident response plan. Training should include ransomware, data breach, and service outage scenarios.
- Know containment steps for compromised accounts or devices.
- Preserve logs and evidence for investigation.
- Escalate incidents according to severity thresholds.
- Data Protection and Compliance Training: Employees who handle sensitive or regulated information should be trained on data classification, retention, privacy obligations, secure sharing, and recordkeeping requirements. Training should reflect applicable legal, contractual, and organizational standards.
- Handle sensitive data only for authorized purposes.
- Store records in approved systems with retention controls.
- Report suspected compliance gaps immediately.
- Change Management and Recovery Training: Personnel involved in maintenance, patching, deployment, and recovery should be trained on change planning, testing, rollback, restoration, and post-change validation. This reduces the likelihood of outages and data loss during operational changes.
- Use checklists for critical changes.
- Confirm backups before major changes.
- Validate system health after implementation.
8. Monitoring and Review
Review Frequency: Annually and after any significant incident, major system change, regulatory change, or control failure.
| Monitoring Type | Frequency | Responsible Party | Description |
|---|---|---|---|
| Regular Inspection | Daily or continuous for critical systems | IT operations and security monitoring team | Monitor security alerts, authentication anomalies, endpoint detections, backup status, and service availability to identify active threats or control failures early. [1] |
| Access Review | Monthly for privileged access; quarterly for standard access | System owners and information security management | Review user accounts, privileged roles, dormant accounts, and third-party access to confirm access remains appropriate and promptly remove unnecessary permissions. [1] |
| Control Effectiveness Review | Monthly or after significant changes | IT governance, risk, and compliance function | Verify that key controls such as patching, logging, backup restoration, MFA, and change approvals are operating as intended and producing evidence of effectiveness. |
| Audit | At least annually and after major incidents | Internal audit, compliance, or designated independent reviewer | Assess whether the risk register, control framework, and evidence support compliance with internal policies, legal obligations, and applicable standards. |
| Incident Trend Analysis | Quarterly | Security operations and risk management | Analyze incidents, near misses, phishing reports, outages, and recovery performance to identify recurring weaknesses, emerging threats, and opportunities for improvement. |
9. Special Circumstances
- Remote work and off-site access increase exposure to phishing, insecure networks, lost devices, and reduced supervision. Additional controls such as VPN, MFA, device encryption, and secure remote support are required. [3]
- Night work, reduced staffing, and on-call operations can increase the likelihood of human error and delayed escalation. Enhanced handover, escalation, and monitoring arrangements should be used during these periods.
- Lone work by administrators or support staff during maintenance or recovery increases the impact of mistakes and delays in assistance. High-risk tasks should use buddy checks, remote oversight, or scheduled support coverage. [8]
- Extreme weather, power outages, and utility disruptions can affect connectivity, cooling, backup power, and recovery capability. Continuity plans should address generator use, UPS capacity, and alternate communications. [4]
- Major change windows, incident response periods, and peak business cycles can elevate operational risk due to time pressure and workload. Additional approvals, staffing, and rollback readiness should be applied.
Approval and Sign-off
This risk assessment has been reviewed and approved by:
Assessor: _________________________ Date: __________
Manager/Supervisor: _________________________ Date: __________
Safety Representative: _________________________ Date: __________
This risk assessment must be reviewed annually and after any significant incident, major system change, regulatory change, or control failure. or when significant changes occur.
Safety powered by SALUS
Important Safety Note:
Always verify safety information with your organization's specific guidelines and local regulations.