Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Risk Assessment Policy

Lightly seeded from legacy Allied Information Security Policy (only the cadence below is carried over). The legacy doc does not describe the methodology; this is a known gap for ISO 27001 and needs drafting.

Purpose

To define how Allied identifies, assesses, treats, and monitors information security risks across its systems, data, and operations.

Scope

Applies to all Allied information assets and the processes that handle them.

Roles and responsibilities

RoleResponsibility
Security OfficerDelivers information security risk assessments at least annually
Asset ownersIdentify and assess risks to assets under their control

Cadence

Information security risk assessments are delivered at least annually, ahead of the annual policy review and re-endorsement cycle.

Policy statements

TBD — gap analysis to add: risk identification process, assessment criteria (likelihood × impact), treatment options (avoid, mitigate, transfer, accept), residual risk acceptance, escalation thresholds, link to the Statement of Applicability.