Risk Mgmt & Accreditation of Information Systems
Government has very specific requirements towards the governance of computer systems. This is called “accreditation” and requires an individual, called “an Accreditor”, to make a balanced decision that all the risks to an information system are appropriately mitigated.
Far from meaning that every risk must be reduced to nil – which is almost impossible - it means that the Accreditor must be satisfied that the outstanding risks, when reduced with suitable countermeasures would not exceed the risk appetite of the organisation; or if it does, what is the reasoning behind accepting an increased level of risk.
The first stage in developing a Risk Management and Accreditation Documentation Set (RMADS) is to determine the Business Impact Level of the information that is held on the information system to be accredited. Depending on the findings of that, it may be sufficient to simply comply with ISO27001. For higher levels of impact level, an RMADS is mandatory.
There are two main phases in developing an RMADS. These are further broken down into individual work units:-
Phase 1 - Perform an HMG IA Standard 1 Technical Risk Assessment.
- Catalogue the information system and generate a scope diagram.
- Verify the minimum assumptions to ensure that the risk assessment is accurate.
- Perform threat assessment to produce a “Prioritised Risk Catalogue” that must be documented within the RMADS.
Phase 2 – Create the RMADS in accordance with HMG IA Standard 2:-
- Perform an ISO 27001 Benchmarking Review to determine that there are suitable commercial countermeasures already in existence.
- Develop a Risk Treatment Plan to ensure that proposed solutions meet with the requirements of the organisation and their risk appetite.
- Develop Security Operating Procedures where a technical solution or existing documentation does not meet the required level of risk mitigation.
- Support 0845 58 27999
- General 0845 58 27001
- Request a Call / Quote
