Best Practice: ISO Risk Assessment Matrix

Statement of Best Practice

Quickly assess risk in a consistent manner

Contact

CISO

Risk Matrix

Threat	p(T x V)
High	Low	Moderate	High
Moderate	Low	Moderate	Moderate
Low	Low	Low	Moderate
	Low	Moderate	High
	Vulnerability

p(T x V)	Risk
High	Low	Moderate	High
Moderate	Low	Moderate	High
Low	Low	Low	Moderate
	Low	Moderate	High
	Impact

Definitions

High Threat = Occurring in higher education, or in this type of implementation
Moderate Threat = Occurring, but outside of higher education
Low Threat = Exists, but not occurring or active

High Vulnerability = Lacking controls or safeguards
Moderate Vulnerability = Some controls or safeguards
Low Vulnerability = Well controlled or safeguarded

High Impact = Regulated, sensitive, or operational data or requiring strong protections or maximum availability. Significant or moderate fines or penalties or moderate to major impairment of operations
Moderate Impact = Institutional business and proprietary or general operational data or systems. Data not intended for public use or minor losses or inefficiencies
Low Impact = Publicly releasable data and non-required operational data or systems. No privacy requirements or minimal availability loss

Sign in to leave feedback

0 reviews

Print Article