As stated in the SPF, in Mandatory Requirement 32, the assessment and the risk management decisions made must be recorded in the Risk Management and Accreditation Documentation Set (RMADS), using HMG IA Standard No.2 – Risk Management and Accreditation of Information Systems.

The document is divided into 3 parts:

• Part 1 - Governance and Risk Management Concepts.
• Part 2 – Risk Management and Accreditation Process.
• Part 3 – Risk Management and Accreditation Documentation.

Part 1 explains the importance of governance and presents the concepts of risk management and accreditation in progressive stages, allowing the reader to develop a clear understanding of the subject.

Part 2 steps through the process of risk management and accreditation in the lifecycle of the information system. It provides clear correlation to project, procurement and business management processes and defines the products produced at each stage. It is designed as a guide and aide-memoire and should only be used once sufficient understanding has been gained from Part 1.

Part 3 offers a suggested format for the Risk Management and Accreditation Document Set (RMADS) and identifies typical content. It also provides linkage to the products identified in Part 2.

The key terms and abbreviations used in this Standard are intended to be consistent with those used by the International Standards Organisation (ISO) and publications produced, sponsored or supported by the Central Sponsor for Information Assurance (CSIA). A comprehensive glossary is also provided that is aligned with the terminology used by the ISO documentation and CSIA.

If you have a requirement that involves this Standard please contact us at standards@platinumsquared.co.uk

For more information from CESG, please visit www.cesg.gov.uk

Extracts taken from HMG Documentation. © Parts of this document are copyright, reserved and vested in the Crown.