HMG IA/IS 1 (part 1) Technical Risk Assessment
IS1 is now part of Mandatory Requirement 32, where Departments and Agencies must conduct an annual technical risk assessment (using HMG IA Standard No.1) for all HMG ICT Projects and Programmes, and when there is a significant change in a risk component (Threat, Vulnerability, Impact etc.) to existing HMG ICT Systems in operation.

The assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.

This Standard is HMG’s approved technical risk assessment and risk treatment method for ICT Systems. It is also a supplement to the Security Policy Framework (SPF).

It is a baseline requirement that organisations bound by SPF use this Standard as their agreed method for technical risk assessment and risk treatment of information systems. However, the Standard may also be applied, at the organisation’s discretion, across a broad range of business contexts in both the public and private sectors.

The Standard has been designed to:

  • Form part of the top-level risk management process defined in HMG Information Assurance Standard No. 2
  • Assess, and indicate treatment for, technical risks to the Confidentiality, Integrity and Availability of information systems.
  • Enable the potential business impact of information risk to be taken fully into account, and residual risks to be considered in relation to business risk appetite.
  • Be applicable to information systems at all levels of business impact, from the most sensitive defence and intelligence systems to those with minimal impact in the wider public sector.
  • Allow for a wide range of risk treatments and countermeasures; more than in the previous versions of this Standard.
  • Effectively address the threats to information systems, including the threat from people with authorised physical access to areas containing ICT systems.
  • Consider risks (and risk treatments) associated with interconnected systems.
  • Present results which are straightforward to understand and interpret by those who are not themselves information assurance security experts.
  • Produce structured information about risks that will assist in the population of an IA risk register.
If you have a requirement that involves this Standard please contact us at standards@platinumsquared.co.uk

For more information from CESG, please visit www.cesg.gov.uk



click


click


click


click


click


click


click
Platinum Squared Ltd - All Contents Copyright © 2010
Terms of Use   -   Privacy Statement