ISMS Compliance
CyFun BasicIdentify

ID.RA-5: Risk determination

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

IDENTIFYID.RA-5

Requirement

The organisation shall conduct risk assessments in which risk is determined by threats, vulnerabilities and impact on business processes and assets.

Our Implementation

Risk determination follows a structured methodology combining threat identification, vulnerability assessment, and business impact analysis:

  • Scoring methodology: Risk Score = Probability (1–5) × Impact (1–5) × 100, enabling quantified comparison across risks
  • Probability scale: Five levels from Rare (1) to Almost Certain (5)
  • Impact scale: Five levels from Negligible (1) to Severe (5)
  • Current risk landscape: 13 risks documented (RSK-001 through RSK-013) with scores ranging from 800 to 1200 — covering device encryption, privilege separation, MFA gaps, vendor assessments, DR planning, vulnerability disclosure, centralised logging, incident response drills, security training, patch management, and penetration testing
  • Treatment assignment: Each risk has an assigned owner, mapped controls, and defined treatment approach (mitigate, accept, transfer, or avoid)

Gaps / Planned improvements:

  • No formal threat intelligence feeds incorporated (NEX-375)
  • Risk assessment not yet extended to all 33 software tools (NEX-375)
  • Annual reassessment cycle not yet completed — first assessment March 2026 (NEX-386)

Evidence

ImplementedL2 — Repeatable

ID.RA-1: Vulnerability identification

Asset vulnerabilities are identified and documented

Protect

Safeguards to mitigate cybersecurity risk

On this page

RequirementOur ImplementationEvidence