Risk Assessment
Document Control
Document Information
| Document Name |
Document Number |
Owner |
| Statement of ApplicabilitYes |
MI2I-01/2025 |
Mozhar Alhosni |
Revision History
| Version |
Name |
Job Title |
Date |
Summary of Revision |
| 1 |
Mozhar Alhosni |
Cybersecurity GRC Consultant |
#DATE_OF_REVISION# |
1st Release |
Document Approvals
| Name |
Title |
Date |
Method |
| #GRC Chief NAME# |
CEO |
6/25/2025 |
Email |
Purpose
Risk Assessment is a key activity within the Information Security Management System (ISMS). It enables the organization to identify information security threats, vulnerabilities, and potential impacts, and to evaluate the likelihood of undesirable events. The purpose of the Risk Assessment process is to ensure that risks to information assets are understood, prioritized, and treated in a consistent and repeatable manner.
The outcome of the Risk Assessment directly influences which ISO/IEC 27001:2022 Annex A controls are implemented, modified, or considered unnecessary. Risk decisions are based on the organization’s risk acceptance criteria, business context, legal and contractual requirements, and the need to support confidentiality, integrity and availability of information.
Risk Register
Risk Register
| Risk ID |
Asset / Process |
Threat / Vulnerability |
Description of Risk |
Impact (Low/Med/High) |
Likelihood (Low/Med/High) |
Risk Level |
Existing Controls |
Annex A Controls |
Risk Treatment (Mitigate / Accept / Transfer / Avoid) |
Action Owner |
Due Date |
Status |
| R-001 |
|
|
|
|
|
|
|
|
|
|
|
|
| R-002 |
|
|
|
|
|
|
|
|
|
|
|
|
| R-003 |
|
|
|
|
|
|
|
|
|
|
|
|
| R-004 |
|
|
|
|
|
|
|
|
|
|
|
|
| R-005 |
|
|
|
|
|
|
|
|
|
|
|
|