Document History
Version | Date | Author | Description of Change |
1.0 | 10/10/2023 | CISO | Initial Release |
2.0 | 10/10/2024 | CISO | Second Release |
3.0 | 10/10/2025 | CISO | Third Release |
Approvers List
Name | Role | Approver/Reviewer | Date |
| Technical head | TOP MANAGEMENT | 10/10/2023 |
| Technical head | TOP MANAGEMENT | 10/10/2024 |
| Technical head | TOP MANAGEMENT | 10/10/2025 |
Risk Identification
Risk ID | Date Identified | Risk Submitter | Risk Description |
ITD_01 | 10/10/2023 | ISG | Risk Assessment Table not updated |
ITD_02 | 10/10/2023 | ISG | List not updated of IT assets |
ITD_03 | 10/10/2023 | ISG | Licenses (Windows, Adobe, and other softwares) |
ITD_04 | 10/10/2023 | ISG | Backup data loss |
ITD_06 | 10/10/2023 | ISG | Unavailability of the services (server) |
ITD_07 | 10/10/2023 | ISG | System Updates (Antivirus, system updates) |
ITD_08 | 10/10/2023 | ISG | Vulnerability scan |
ITD_09 | 10/10/2023 | ISG | Admin Access to employees |
ITD_10 | 10/10/2023 | ISG | Malware attack on system(s) |
ITD_11 | 10/10/2023 | ISG | Virus attack on system(s) |
ITD_12 | 10/10/2023 | ISG | Incorrect data processing by employees |
ITD_13 | 10/10/2023 | ISG | Leased lines not working |
ITD_14 | 10/10/2023 | ISG | Wi-Fi not working |
ITD_15 | 10/10/2023 | ISG | Biometric machines not working |
ITD_16 | 10/10/2023 | ISG | Hacking activity |
ITD_17 | 10/10/2023 | ISG | Fraud activity on company devices |
ITD_18 | 10/10/2023 | ISG | Physical Security breach |
ITD_19 | 10/10/2023 | ISG | Theft of company assets and confidential data |
ITD_20 | 10/10/2023 | ISG | Natural disaster like flood, fire, cyclone, earth quake |
ITD_21 | 10/10/2023 | IT | Not enough hardware Budget |
ITD_22 | 10/10/2023 | ISG | Fire due to short circuit |
ITD_23 | 10/10/2023 | ISG | Technology out of date and difficult to maintain |
ITD_24 | 10/10/2023 | CEO | Use of social media in company |
ITD_25 | 10/10/2023 | IT | Admin Access to employees |
ITD_26 | 10/10/2023 | IT | USB unblocked |
ITD_27 | 10/10/2023 | IT | Access Management (Misuse of credentials) |
ITD_28 | 10/10/2023 | IT | Firewall Crash Down or Power Failure |
ITD_29 | 10/10/2023 | IT | Wifi Password theft |
ITD_30 | 10/10/2023 | IT | Antivirus on Linux |
Risk Classification
Risk ID | Category | Risk Type | Risk Owner | Probability |
ITD_01 | Organizational | Opportunity | ITD | Likely |
ITD_02 | Organizational | Threat | ITD | Highly Likely |
ITD_03 | Organizational | Threat | ITD | Low Likelihood |
ITD_04 | Technical | Threat | ITD | Highly Likely |
ITD_06 | Organizational | Threat | ITD | Highly Likely |
ITD_07 | Technical | Threat | ITD | Likely |
ITD_08 | Technical | Threat | ITD | Likely |
ITD_09 | Organizational | Threat | ITD | Highly Likely |
ITD_10 | Technical | Threat | ITD | Highly Likely |
ITD_11 | Technical | Threat | ITD | Highly Likely |
ITD_12 | Technical | Threat | ITD | Low Likelihood |
ITD_13 | Technical | Threat | ITD | Highly Likely |
ITD_14 | Technical | Threat | ITD | Likely |
ITD_15 | Technical | Threat | ITD | Highly Likely |
ITD_16 | Technical | Threat | ITD | Highly Likely |
ITD_17 | Technical | Threat | ITD | Highly Likely |
ITD_18 | Organizational | Threat | ITD | Highly Likely |
ITD_19 | Technical | Threat | ITD | Highly Likely |
ITD_20 | Organizational | Threat | ITD | Highly Likely |
ITD_21 | Threat | ITD | Likely | Significant |
ITD_22 | Technical | Threat | Admin | Highly Likely |
ITD_23 | Technical | Threat | ITD | Highly Likely |
ITD_24 | Technical | Threat | ITD | Likely |
ITD_25 | Technical | Threat | ITD | Likely |
ITD_26 | Technical | Threat | ITD | Low Likelihood |
ITD_27 | Organizational | Threat | ITD | Highly Likely |
ITD_28 | Technical | Threat | ITD | Highly Likely |
ITD_29 | Technical | Threat | ITD | Highly Likely |
ITD_30 | Scope | Exception | ITD | Not Likely |
Risk Impact Analysis
Risk ID | Prob Value | Impact | Impact Value | Risk Rating |
ITD_01 | 0.5 | Very Serious | 0.4 | 0.2 |
ITD_02 | 0.7 | Serious | 0.2 | 0.14 |
ITD_03 | 0.3 | Very Serious | 0.4 | 0.12 |
ITD_04 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_06 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_07 | 0.5 | Serious | 0.2 | 0.1 |
ITD_08 | 0.5 | Serious | 0.2 | 0.1 |
ITD_09 | 0.7 | Serious | 0.2 | 0.14 |
ITD_10 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_11 | 0.7 | Serious | 0.2 | 0.14 |
ITD_12 | 0.3 | Serious | 0.2 | 0.06 |
ITD_13 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_14 | 0.5 | Serious | 0.2 | 0.1 |
ITD_15 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_16 | 0.7 | Catastrophic | 0.8 | 0.56 |
ITD_17 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_18 | 0.7 | Serious | 0.2 | 0.14 |
ITD_19 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_20 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_21 | 0.5 | Significant | 0.1 | 0.05 |
ITD_22 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_23 | 0.7 | Serious | 0.2 | 0.14 |
ITD_24 | 0.5 | Significant | 0.1 | 0.05 |
ITD_25 | 0.5 | Significant | 0.1 | 0.05 |
ITD_26 | 0.3 | Serious | 0.2 | 0.06 |
ITD_27 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_28 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_29 | 0.7 | Very Serious | 0.4 | 0.28 |
ITD_30 | 0.1 | Significant | 0.1 | 0.01 |
Risk Priority & Response
Risk ID | Risk | Priority | Risk Response Type | Corrective Actions |
ITD_01 | Moderate | Very High | Mitigate/Control | Risk Register is to be updated by ITD |
ITD_02 | Moderate | Medium | Mitigate/Control | ITD team implemented IT asset tracker tool |
ITD_03 | Moderate | Very High | Mitigate/Control | ITD maintained software inventory |
ITD_04 | Severe | High | Mitigate/Control | Backup Policy is implemented |
ITD_06 | Severe | High | Mitigate/Control | Weekly backup of cloud servers |
ITD_07 | Moderate | Medium | Mitigate/Control | Centralized Antivirus is in place |
ITD_08 | Moderate | High | Mitigate/Control | Scheduled VAPT and patching |
ITD_09 | Moderate | Medium | Mitigate/Control | Access Control Policy is in place |
ITD_10 | Severe | Medium | Mitigate/Control | Antivirus and removable media blocked |
ITD_11 | Moderate | High | Mitigate/Control | Firewall and Antivirus in place |
ITD_12 | Minimal | High | Mitigate/Control | Firewall blocks unwanted sites |
ITD_13 | Severe | Very High | Transfer | Multiple ISP and load balancing firewall |
ITD_14 | Moderate | High | Mitigate/Control | Multiple WiFi backup available |
ITD_15 | Severe | High | Mitigate/Control | Weekly biometric backup |
ITD_16 | Severe | Very High | Mitigate/Control | VAPT, Firewall and Antivirus |
ITD_17 | Severe | Very High | Mitigate/Control | Firewall and removable media blocked |
ITD_18 | Moderate | Medium | Mitigate/Control | Access control policy implemented |
ITD_19 | Severe | Very High | Mitigate/Control | Drive locked with BitLocker |
ITD_20 | Severe | Very High | Accept | BCP implemented and WFH available |
ITD_21 | Minimal | Medium | Mitigate/Control | Inventory maintained in advance |
ITD_22 | Severe | Very High | Mitigate/Control | Fire Extinguisher and Alarm |
ITD_23 | Moderate | High | Mitigate/Control | Patching and VAPT performed |
ITD_24 | Minimal | Medium | Mitigate/Control | Firewall blocks unwanted websites |
ITD_25 | Minimal | Medium | Mitigate/Control | Admin access approval process |
ITD_26 | Minimal | Very High | Mitigate/Control | USB blocked in devices |
ITD_27 | Severe | Very High | Mitigate/Control | Access Control Management Policy |
ITD_28 | Severe | Very High | Mitigate/Control | Genset in place for power down |
ITD_29 | Severe | Very High | Mitigate/Control | WiFi passwords encrypted |
ITD_30 | Minimal | Low | Mitigate/Control | Antivirus not required for Ubuntu |
Residual Risk Analysis
Risk ID | Residual Probability | Residual Prob Value | Residual Impact | Residual Impact Value |
ITD_01 | Not Likely | 0.1 | Significant | 0.1 |
ITD_02 | Likely | 0.5 | Significant | 0.1 |
ITD_03 | Low Likelihood | 0.3 | Serious | 0.2 |
ITD_04 | Not Likely | 0.1 | Serious | 0.2 |
ITD_06 | Not Likely | 0.1 | Serious | 0.2 |
ITD_07 | Low Likelihood | 0.3 | Significant | 0.1 |
ITD_08 | Not Likely | 0.1 | Serious | 0.2 |
ITD_09 | Low Likelihood | 0.3 | Marginal | 0.05 |
ITD_10 | Likely | 0.5 | Serious | 0.2 |
ITD_11 | Low Likelihood | 0.3 | Marginal | 0.05 |
ITD_12 | Likely | 0.5 | Marginal | 0.05 |
ITD_13 | Low Likelihood | 0.3 | Marginal | 0.05 |
ITD_14 | Likely | 0.5 | Serious | 0.2 |
ITD_15 | Not Likely | 0.1 | Significant | 0.1 |
ITD_16 | Not Likely | 0.1 | Marginal | 0.05 |
ITD_17 | Not Likely | 0.1 | Significant | 0.1 |
ITD_18 | Not Likely | 0.1 | Significant | 0.1 |
ITD_19 | Not Likely | 0.1 | Significant | 0.1 |
ITD_20 | Not Likely | 0.1 | Very Serious | 0.4 |
ITD_21 | Not Likely | 0.1 | Significant | 0.1 |
ITD_22 | Low Likelihood | 0.3 | Very Serious | 0.4 |
ITD_23 | Not Likely | 0.1 | Serious | 0.2 |
ITD_24 | Likely | 0.5 | Significant | 0.1 |
ITD_25 | Likely | 0.5 | Significant | 0.1 |
ITD_26 | Low Likelihood | 0.3 | Very Serious | 0.4 |
ITD_27 | Not Likely | 0.1 | Significant | 0.1 |
ITD_28 | Low Likelihood | 0.3 | Very Serious | 0.4 |
ITD_29 | Not Likely | 0.1 | Significant | 0.1 |
ITD_30 | Not Likely | 0.1 | Significant | 0.1 |
Residual Risk Result
Risk ID | Residual Risk Rating | Residual Risk |
ITD_01 | 0.01 | Minimal |
ITD_02 | 0.05 | Minimal |
ITD_03 | 0.06 | Minimal |
ITD_04 | 0.02 | Minimal |
ITD_06 | 0.02 | Minimal |
ITD_07 | 0.03 | Minimal |
ITD_08 | 0.02 | Minimal |
ITD_09 | 0.015 | Minimal |
ITD_10 | 0.1 | Moderate |
ITD_11 | 0.015 | Minimal |
ITD_12 | 0.025 | Minimal |
ITD_13 | 0.015 | Minimal |
ITD_14 | 0.1 | Moderate |
ITD_15 | 0.01 | Minimal |
ITD_16 | 0.005 | Minimal |
ITD_17 | 0.01 | Minimal |
ITD_18 | 0.01 | Minimal |
ITD_19 | 0.01 | Minimal |
ITD_20 | 0.04 | Moderate |
ITD_21 | 0.01 | Minimal |
ITD_22 | 0.12 | Moderate |
ITD_23 | 0.02 | Minimal |
ITD_24 | 0.05 | Minimal |
ITD_25 | 0.05 | Minimal |
ITD_26 | 0.12 | Moderate |
ITD_27 | 0.01 | Minimal |
ITD_28 | 0.12 | Moderate |
ITD_29 | 0.01 | Minimal |
ITD_30 | 0.01 | Minimal |