The overall purpose of this Standard is to support the National Information Assurance Strategy, which emphasises informed risk ownership and acceptance by the business and information owners, underpinned by support and compliance regimes, with third party evaluation and certification playing a subsidiary role.

Part 2 provides a method to define risk treatment requirements. In so doing this part of Infosec Standard No 1 has several subsidiary purposes:

• To provide a framework for informed risk treatment within which the designer, analysts, accreditor, business owner, risk owner and anyone else involved can agree on pragmatic, appropriate, and cost-effective risk treatment.
• To apply to a wide range of systems, from small systems operating at a low level of Impact to large interconnected systems operating at a wide range of Impact Levels.
• To augment and work closely with Infosec Standard No 2

In achieving these purposes it provides the means for the accreditor to make informed risk management decisions that support the business and provides methods by which higher levels of risk can be pragmatically, appropriately, and cost effectively managed even if they cannot be quantifiably reduced.

It is not for the IA professional using this Standard (the analyst) to mandate a solution, but to make a reasoned, well-argued recommendation, in the form of a "Security Case", to the SIRO, SRO, accreditor, and business users so that together they can make a well-informed business decision.

If you have a requirement that involves this Standard please contact us at standards@platinumsquared.co.uk

For more information from CESG, please visit www.cesg.gov.uk

Extracts taken from HMG Documentation. © Parts of this document are copyright, reserved and vested in the Crown.