There are six stages to the assessment of a risk control: Identify, Assess, Treatment, Decision, Treat and Monitor. Depending on the extent to which the risk control has been implemented, you may not go through all of these stages, or you may go through several of them multiple times.
- Identify: This is the first stage, when you initially ‘answer the question’ and detail whether or not your organization has implemented a given risk control.
- Assess: This is the second stage, at which your risk control will be assigned an initial risk score, either by the Assessor or Apomatix’s Autopilot, based on the response you gave in the first stage.
- Treatment: This is the third stage, when, in accordance with the level of risk that has been assigned, your organization will be given a suggested treatment (i.e. instructions or guidance on how to implement the risk control and lower your risk score), either by the Assessor or Apomatix’s Autopilot.
- Decision: This is the fourth stage, and when your organization has to decide whether to treat the risk (i.e. implement the control to lower the level of risk faced) or to accept the risk (i.e. you decide the level of risk faced is acceptable, and that no further action is required). Note, for certain controls it is not possible to accept the risk until it has been reduced to its lowest level (a score of 1). This is the case when the risk control in question is compulsory. That is, either required by law (e.g. GDPR), or necessary if you wish to comply with a specific industry standard (e.g. clauses 4-10 of ISO 27001).
- Treat: This is the fifth stage, when, if you have decided to treat a risk, you upload your evidence and detail the steps taken to implement the risk control. Once you submit your treatment, the risk control in question will return to the identify stage and the scoring process (led either by an Assessor or Apomatix’s Autopilot) will begin again.
- Monitor: This is the sixth and final stage, and where your risk controls are logged once your organization has reduced the level of risk to an acceptable level. Before you push a risk control into the monitor stage you will be asked to assign a monitor date. This is the date at which the risk control will be automatically pushed back into the identify stage and you will reassess it. When this date falls will vary from organization to organization and depend on the level of risk you are monitoring (e.g. a risk score of more than 1 you are choosing to accept), but as a matter of principle, all risk controls should be reviewed at least annually, or when any significant change is proposed or occurs.