Security & Compliance

< Back to Article List

IS-14 Risk Treatment Policy

Last updated: 24 October 2024 at 11:47:57 UTC by Russell Briggs

Risk Treatment Policy

 

  

Document Ref No

IS-14

Version No

V1

Last review date

19/10/2021

Approved by

Dom Tyler

Next review

19/10/2022

 

 

Contents

1.Purpose, scope and users                                                                                                               2

2.Risk Assessment and Risk Treatment Methodology                                                             3

2.1.Risk assessment                                                                                                                         3

2.1.1.Vulnerabilities, threats and controls                                                                               3

2.1.2.Determining the risk owners                                                                                            3

2.1.3.Suitability of Controls                                                                                                         3

2.2.Risk treatment                                                                                                                           3

2.3.Regular reviews of risk assessment and risk treatment                                            4

3.Document management                                                                                                                     4

4.Version history                                                                                                                                   4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1.    Purpose, scope and users

The purpose of this document is to define the methodology for assessment and treatment of information security risks in Recycly, and to define the acceptable level of risk.

Risk assessment and risk treatment are applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information assets which are used within the organisation or which could have an impact on information security within the ISMS.

Users of this document are all employees of Recycly who take part in risk assessment and risk treatment.

 

2.              Risk Assessment and Risk Treatment Methodology

2.1.         Risk assessment

2.1.1.     Vulnerabilities, threats and controls

A qualitative assessment is made of the security vulnerabilities, threats, potential impact and likelihood, associated with those areas together with the corresponding controls.

2.1.2.     Determining the risk owners

For each risk, a risk owner should be identified – the person or organisational unit responsible for each risk.

2.1.3.     Suitability of Controls

Risk

Level

Description

Risk Acceptance

 

Risk Treatment Plan

Low

The implemented controls are sufficient to reduce the risk to an acceptable level.

Acceptable

Acceptable level of risk.

Medium

The identified risk may cause harm to Recycly . Further risk treatment is required to reduce risk.

Reduce or tolerate

Plan measures to further reduce risk or tolerate the risk with justification

High

High likelihood or severity of harm to Recycly. Further risk treatment is required to reduce risk, as a priority.

Reduce, not tolerable

Plan to implement risk reduction controls to reduce the risk from, at least, High to Medium

 

2.2.         Risk treatment

One or more treatment types may be applied to control security risks.

1.      Treat – Implement a physical, technical, policy or procedural control to reduce the risk

2.      Transfer - Transferring the risks to a third party – e.g. by purchasing an insurance policy or signing a contract with suppliers or partners

3.      Terminate - Avoiding the risk by discontinuing a business activity that causes such risk

4.      Tolerate - Accepting the risk – e.g. If the selection of other risk treatment options would cost more than the potential impact should such risk materialise

The treatment of risks related to outsourced processes must be addressed through the contracts with responsible third parties, as specified in the Supplier Security Policy.

2.3.         Regular reviews of risk assessment and risk treatment

A review should be conducted at least once a year, or more frequently in the case of significant organisational changes, significant change in technology, change of business objectives, changes in the business environment, etc.

On behalf of the risk owners, the Executive Management Team will accept all residual risks where the risk level has been reduced to Low or where a risk is knowingly tolerated.

 

3.    Document management

This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.

 

4.    Version history

Summary of Change

Date of Change

Author

Version No

First Draft

19/10/2021

Dom Tyler

1