This is a free template, provided by OpenRegulatory.
If you are a user of Formwork, our eQMS software, you can save a lot of time by choosing “QMS” on the top menu and “OpenRegulatory Templates” on the left menu, and then opening the relevant folder to find this template ready to load into Formwork.
If, for some mysterious reason, you’re using a different QMS Software, you can also simply download this template – specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!
The template license applies (don’t remove the copyright at the bottom, don’t re-use this for commercial purposes).
Lost In Regulation? Book a Free 30-Minute Consulting Call.
Unsure how to get started and how to get your EU MDR medical device certified? We’ve already helped hundreds of companies with their MDR compliance. Book a free 30-minute consulting call and let’s discuss how you can get your compliance done efficienty.
6.1.1 Actions to address risks and opportunities – General
1., 2., 3.
6.1.2 Information security risk assessment
2.
6.1.3 Information security risk treatment
3.
Summary
This document describes the process for assessing and treating information security risks within the Information Security Management System (ISMS) at <your company name>. It outlines the procedures for risk identification, analysis, evaluation, and treatment to ensure that information security risks are managed effectively.
The purpose of the Information Security Risk Assessment Process is to identify, assess, and manage risks that could potentially affect the confidentiality, integrity, and availability of the information assets of <your company name>. This process is vital for maintaining robust security practices and ensuring compliance with ISO/IEC 27001:2023 standards.
This document shall be reviewed annually or upon significant changes to the ISMS or the risk landscape. All revisions must be approved by the Information Security Officer (ISO) and communicated to all relevant stakeholders.
Process Steps
1. Risk Identification
The company will:
Identify the risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS.
Document the potential security threats and vulnerabilities that could affect the organization’s information assets.
Participants
Management
ISO
Employees
Input
Output
Identified risks
Identified security threats
Identified vulnerabilities
2. Risk Analysis
Analyze the likelihood of each identified risk occurring, along with its potential impact on the organization.
Utilize qualitative and quantitative methods to evaluate the severity of risks based on predefined criteria.
Participants
ISO
Input
Output
Identified risks
Information Security Risk Analysis Plan
Identified security threats
Identified vulnerabilities
3. Risk Assessment
Prioritize the risks based on their likelihood and impact.
Determine which risks are acceptable and which require further action or treatment based on the risk appetite of the organization.
Identify appropriate risk treatment options such as risk avoidance, risk transfer, risk acceptance, or risk mitigation.
Select specific security controls to implement from Annex A of ISO/IEC 27001:2023 or other relevant sources.
Participants
Management
ISO
Input
Output
Information Security Risk Analysis Plan
Information Security Risk Table
Information Security Risk Analysis Report
4. Monitoring and Review
Regularly monitor and review the effectiveness of the risk treatment measures and controls.
Update the Risk Plan, Table and Report appropriately.
Participants
ISO
Input
Output
Monitoring data
Information Security Risk Analysis Plan
Information Security Risk Analysis Plan (updated)
Information Security Risk Table
Information Security Risk Table (updated)
Information Security Risk Analysis Report
Information Security Risk Analysis Report (updated)