Doc owner: TBD
Risk Assessment Policy
Lightly seeded from legacy Allied Information Security Policy (only the cadence below is carried over). The legacy doc does not describe the methodology; this is a known gap for ISO 27001 and needs drafting.
Purpose
To define how Allied identifies, assesses, treats, and monitors information security risks across its systems, data, and operations.
Scope
Applies to all Allied information assets and the processes that handle them.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| Security Officer | Delivers information security risk assessments at least annually |
| Asset owners | Identify and assess risks to assets under their control |
Cadence
Information security risk assessments are delivered at least annually, ahead of the annual policy review and re-endorsement cycle.
Policy statements
TBD — gap analysis to add: risk identification process, assessment criteria (likelihood × impact), treatment options (avoid, mitigate, transfer, accept), residual risk acceptance, escalation thresholds, link to the Statement of Applicability.
Related
- POL-DIG-001 Information Security Management Plan
- ISO 27001:2022 Clauses 6.1.2, 6.1.3, 8.2, 8.3