Security & Compliance
< Back to Article ListIS-14 Risk Treatment Policy
Last updated: 24 October 2024 at 11:47:57 UTC by Russell Briggs
Risk Treatment Policy
Document Ref No |
IS-14 |
Version No |
V1 |
Last review date |
19/10/2021 |
Approved by |
Dom Tyler |
Next review |
19/10/2022 |
Contents
1.Purpose, scope and users 2
2.Risk Assessment and Risk Treatment Methodology 3
2.1.Risk assessment 3
2.1.1.Vulnerabilities, threats and controls 3
2.1.2.Determining the risk owners 3
2.1.3.Suitability of Controls 3
2.2.Risk treatment 3
2.3.Regular reviews of risk assessment and risk treatment 4
3.Document management 4
4.Version history 4
1. Purpose, scope and users
The purpose of this document is to define the methodology for assessment and treatment of information security risks in Recycly, and to define the acceptable level of risk.
Risk assessment and risk treatment are applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information assets which are used within the organisation or which could have an impact on information security within the ISMS.
Users of this document are all employees of Recycly who take part in risk assessment and risk treatment.
2. Risk Assessment and Risk Treatment Methodology
2.1. Risk assessment
2.1.1. Vulnerabilities, threats and controls
A qualitative assessment is made of the security vulnerabilities, threats, potential impact and likelihood, associated with those areas together with the corresponding controls.
2.1.2. Determining the risk owners
For each risk, a risk owner should be identified – the person or organisational unit responsible for each risk.
2.1.3. Suitability of Controls
Risk Level |
Description |
Risk Acceptance |
Risk Treatment Plan |
Low |
The implemented controls are sufficient to reduce the risk to an acceptable level. |
Acceptable |
Acceptable level of risk. |
Medium |
The identified risk may cause harm to Recycly . Further risk treatment is required to reduce risk. |
Reduce or tolerate |
Plan measures to further reduce risk or tolerate the risk with justification |
High |
High likelihood or severity of harm to Recycly. Further risk treatment is required to reduce risk, as a priority. |
Reduce, not tolerable |
Plan to implement risk reduction controls to reduce the risk from, at least, High to Medium |
2.2. Risk treatment
One or more treatment types may be applied to control security risks.
1. Treat – Implement a physical, technical, policy or procedural control to reduce the risk
2. Transfer - Transferring the risks to a third party – e.g. by purchasing an insurance policy or signing a contract with suppliers or partners
3. Terminate - Avoiding the risk by discontinuing a business activity that causes such risk
4. Tolerate - Accepting the risk – e.g. If the selection of other risk treatment options would cost more than the potential impact should such risk materialise
The treatment of risks related to outsourced processes must be addressed through the contracts with responsible third parties, as specified in the Supplier Security Policy.
2.3. Regular reviews of risk assessment and risk treatment
A review should be conducted at least once a year, or more frequently in the case of significant organisational changes, significant change in technology, change of business objectives, changes in the business environment, etc.
On behalf of the risk owners, the Executive Management Team will accept all residual risks where the risk level has been reduced to Low or where a risk is knowingly tolerated.
3. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
4. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
19/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|