A risk assessment template is a tool that is used to document the systematic analysis of types of security risks that exist within the scope/area of an assessment, the likelihood and consequence of those risks being realised, and the recommended control measures to reduce risk to acceptable levels.
A risk assessment template can use text, graphs, or charts (including the risk matrix) to demonstrate risk and related attributes.
Why Use A Risk Assessment Template?
Keeping a record of all the findings in each stage of risk assessment is crucial. A sound recordkeeping system helps entities track important planning data, including the solutions selected to address current levels of risk. This can also be used retrospectively if needed to justify pre-incident planning.
A risk assessment template is required to be used by organisations, whether it be their own or sourced from elsewhere, to be compliant with various regulatory requirements.
More than that, it promotes communication about risk methods within organisations and workplaces.
Key SECTARA personnel have developed numerous risk assessment templates over the years. We have also seen many templates offered by others online. It caused us to question what the pros and cons were of taking up an online template.
Clearly the temptation to a quick fix for an urgent requirement would drive many to sourcing a risk template online. There can be benefit in doing this, such as boilerplate content and new ideas, but there are also many potential drawbacks.
The Pros And Cons
From a security perspective, the obvious issue includes the high potential for viruses and other malware to be embedded within free templates. If an adversary was seeking to gain sensitive information on security from organisations, what better phishing hook than content that will invariably be downloaded by security assessors.
There is also usually the issue of misalignment between your needs and the methods detailed within free risk assessment templates. It is likely to cause a practitioner much time in re formatting/structuring, with no guarantee that the result will be what’s required.
If you are a reasonable practitioner yourself, there’s also the question of why you think someone else’s work is better than what you could prepare. After all, Australia designed the global risk management standard (ISO 31000) and counts itself as being one of the more progressive nations in risk practices.
General Considerations And Risk Assessment Template Process
Looking past the issues of online risk assessment templates, starting with a blank template can limit rapid progress and deny assessors a point of reference when completing an assessment.
The image below illustrates a basic ISO 31000 risk register, completion of which is the culmination of the risk assessment process.
Risk Register Template
However, and prior to reaching this stage in an assessment, any reasonable risk assessment template will have accounted for documenting the external, internal and security risk context. These sections of a template define the scope and various environments within which the assessment is being conducted.
They are also the appropriate places in a risk assessment template to build the business case for the assets, threats, controls, risks and recommended treatments that will invariably flow from the process.
SECTARA Threat Criteria Template
Subsequent stages beyond defining the context should serve to:
- identify and assess the criticality of assets;
- identify threat actors, and examine their intent and capability to carry out threat acts;
- highlight and assess the effectiveness of controls that exist to protect assets from those threat acts;
- identify areas of vulnerability;
- identify risks arising from this information; and
- recommending risk treatments that reduce the current level of risk to acceptable levels.
Using Traditional Tools
As you can imagine, it is hard to do all this effectively when using a MS Word/Excel template, for example. Much of the process of completing a risk assessment template warrants a collaborative approach to ensure the result is sufficiently informed.
Expecting to be able to download a solution from the web, which will address your immediate needs and not leave you further confused, is unrealistic in most cases.
It’s the reason that Industry Risk designed SECTARA. SECTARA is the official companion to the Security Risk Management Aide Memoire (SRM-AM), which is an extension of the Security Risk management Body of Knowledge (SRMBoK). It was also written by the same author (Julian Talbot), who was a SECTARA co-designer.
SECTARA addresses all the issues addressed above, including through the provision of previously populated libraries of data that can speed and help direct the assessment process.It is also demonstrative of how advanced threat assessments should be completed and illustrates Industry Risk’s commitment to best practice in security risk management.
If you are looking to do security risk management better and wish to use effective security risk assessment temapltes, get in contact or register for a free plan https://sectara.com.
Yours in security risk assessing, Konrad Buczynski