The ISMS Risks & Treatments map is how you will manage your Risks in ISMS.online which allows you to record and manage your risks, indicating their impact and likelihood, how you propose to treat them and any details of that treatment. The ISO 27001 Policies & Controls area comes with an inbuilt Risk Register and Map. Risk Registers can also be created as standalone tools or integrated into other work areas, for example, to manage the risks relating to a specific project.
Using the ISMS Risks & Treatments map
Creating a New Risk
When creating a new Risk there are a number of details you can add in:
- Description – Describe the risk
- Risk status – State whether the risk you are plotting is currently Open or Closed
- Potential consequence– Describe the potential impact on your organisation or team if this risk is not be mitigated
- Origin – Where the risk arises from
- Type of risk – You can select Threat or Opportunity; if the risks you are plotting do not fall in either category you can contact the ISMS.online Support Team to arrange customisation of your dropdown list
- Owner – Select the team member responsible for monitoring the risk
- Action – Select the Action for this risk, can also be determined when you add a reading
- Dates: Review/Reminder – Select when you would like this risk to be reviewed, and when you would like a reminder notification to be sent out
Adding a Reading
Once you have created a risk, you will notice a ‘Add reading’ button on the right-hand side of the page, this is where you will:
- Define the Impact score of your Risk by selecting values for Confidentiality, Integrity, and Availability (The Impact score is derived from the highest of the three readings)
- Likelihood – Define the Likelihood score for this reading (from Very Low to Very High)
- Action – You can select the Action for this risk when you add the reading, or at any time after it has been created
- Target Reading – Can be used to show where you want to aim to have your current readings. Target readings appear as a blue dot and cannot be removed. This feature is optional.
Note: The first reading you add will be counted as your Original Reading, this reading is permanent (but can be removed by support if added in error). Original Readings can be used to compare where you started before you put controls in place for the risk, to where you are now. Every reading you add after the initial reading will be counted as your Current Reading.
Management of the ISMS Risks & Treatment Plan
Once you’ve populated your plan with risks, you’ll see each risk plotted with a letter of the alphabet, if you click a letter, you’ll open all risk details next to the map, and the treatment plan below it.
You can also view all of your risks in the table below, use the toggle buttons to swap between open and closed risks.
The functionality within a risk item is familiar from other areas of ISMS.online, you can: add notes, set tasks, upload documents, and start discussions.
As you use these tools to manage your risks and change their impact and likelihood, you’ll see details of these changes plotted on the History graph. This allows you to visualise the treatment of A risk over time compared to the acceptable likelihood and impact.
It’s easy to add risks from scratch or drawing down from our risk bank. These are generic risks that we have created ready for you to quickly add into your risk maps. You can easily adapt these risks to meet your specific needs once you have added them. Treatment examples are proposed for each risk that you can also adopt, adapt or add to in the risk treatment area.
To view the risk bank simply click ‘View Risk Bank’ in the top right, as shown in the image below.
Then, when you have seen a risk you want to add to your map, simply click ‘Add risk’, also shown below. Risks that have been added to your Map will be highlighted green.
With the Risk Register and Treatment Plan as part of the work area for the ISO 27001 Policies & Controls Project, all the members of that Project will have access to the Plan. Therefore, if you want more people to be able to view the Risk Register, simply add them to the Project.
Should you wish to change the name of your Risk Register and Treatment Plan, you can do so by clicking Settings (next to Team in the top right-hand corner), making changes in the text box shown below and clicking save.
Creating a Risk Register & Treatment Plan
To create a Risk Register and Treatment Plan within a Work Area, open the desired Work Area and click on the Tools tab as shown below:
Then, click New tool usage and select Risk Register and Treatment Plan from the drop-down menu. You can then choose to associate a tool with the entire project or to a particular Phase, Deliverable or Activity. Once you are happy with the options, click Create new usage.
Give it a relevant name and click Save.
Note: Is your Risk Methodology different to the default supplied by ISMS.online? Our Support team can create a Custom Risk Map for your organisation.
Do you want to customise your Risk Map?
If the default ISMS Risks & Treatment plan does not fit your organisations own Risk Methodology, our Support team can create a Custom Risk Map for you. This can be applied to all existing and future Risk Maps created in your platform. Or, you can have it applied to a specific map.
The following can be customised in ISMS.online risk maps:
- The number of impact and likelihood levels – for example, in the default ISO 27001 risk map, there are five levels
- The labels for impact and likelihood levels – for example, in the default ISO 27001 risk map, impact labels are: Insignificant, Minor, Moderate, Major, Severe
- The scoring methodology (numbers on the risk map squares) – this can be ‘Additive’ (impact + likelihood), ‘Multiplicative’ (impact x likelihood) or ‘Sequential’ (1,2,3,4,5…)
- The reminder period for each colour level – in the pre-configured ISMS Risks & Treatments map these are 1, 3, 6 and 12 months
- The colour levels for the map, and where those colours will go. The following colours are available for risk maps in ISMS.online:(Grey, Turquoise, Blue, Orange, Black, Brown, Yellow, Purple, Green, Red.)
The easiest way to provide us with this information is to provide us with your methodology (including a coloured map, so we can understand how you would like each square to be coloured).
To request a custom Risk Map, or to find out more, please contact the Support team either by the Live Chat button in the bottom right of your ISMS.online platform, or email us at firstname.lastname@example.org