Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions


0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

Information Security Risk Assessment and Treatment

Risk assessment and treatment involves the process of identifying, prioritising and managing the risks to information that an organisation faces. Cambridge Risk Solutions can assist with each stage of this process, bringing the benefit of an objective viewpoint and years of experience.

Identifying Risks

There are numerous sources of information on risks, including:

  • Previous incident and events;
  • Anecdotal knowledge;
  • The “UK National Risk Register”;
  • “Community Risk Registers” for each area of the UK;
  • Specialist journals, research and whitepapers;
  • Health, Safety and Environmental risk registers within your organisation;
  • Annual Reports and Accounts from companies in your sector; and
  • Media reports of incidents.

Prioritising Risks

Having identified the risk to your organisation, these risks need to be assessed in the context of:

  • the strategy and objectives of your business;
  • the internal and external issues facing your business;
  • the needs of your interested parties, such as clients, staff and other stakeholders;
  • the legal and regulatory landscape; and
  • your organisational risk appetite.

Risks should then be treated accordingly.  There are 4 fundamental responses to each risk, known as the “4 T’s”:

  • Tolerate the risk as it is;
  • Transfer the risk ie buy insurance to mitigate the financial losses
  • Treat the risk ie take practical steps to reduce the likelihood of the event occurring and/or mitigate the impact if it should occur; or
  • Terminate the activity that gives rise to the risk.

The budget available for risk management will never be sufficient to transfer or treat all the risks that face an organisation. Senior Management must therefore prioritise which risks they will actively address; remaining risks must either be tolerated or terminated.

Managing Risks

For those considering ISO 27001, the standard lists a number of ‘control objectives and controls’, and is fairly prescriptive in that it requires that the risk treatment process should ensure that the controls are listed within a Statement of Applicability (SoA).  This should include details of risk controls, as well as reasons for inclusion or exclusion from any of the controls.

Follow the link to see a Risk Assessment and Treatment case study.

Get In Touch

We are always happy to answer any questions you may have, please either contact us by telephone, or by filling in the form below.

Please ensure that you do not divulge any sensitive data as this webpage is not secure.

I have had an extremely positive experience of working with Mr Roberts on two separate Business Continuity projects. Both projects were delivered to time and budget and I would certainly use his services again as and when required.

more testimonials

  • Business Continuity Planning

    Effective planning that takes into account risk evaluation and business impact analysis, supported by clear and concise crisis management. We work with you to develop user-friendly plans.

  • Business Impact Analysis

    The Business Impact Analysis (BIA) is one of the most important, and least well understood, stages of the Business Continuity Management Lifecycle; we can assist with your BIA.

  • Training and Exercising

    No Business Continuity Management programme is effective without a significant element of training. Moreover, ongoing Crisis Management training and exercising is key. We can provide objective training and exercising.

  • Risk Evaluation and Control

    Risk evaluation and treatment provide a process to identify, prioritise and managing your risks. Cambridge Risk Solutions can assist with risk management for business operational and information security risks.

  • Statement of Applicability

    Which controls do you need to have in place? How do you link your risk assessment process into your SoA? How do you ensure that you have effective controls in place? We can assist with your SoA.

  • Integrated Management Systems

    Management Systems assist with your on-going management, maintenance and continual improvement. We work with you to develop a fully integrated management system, enabling certification to ISO 22301 and ISO 27001.