Page 2
management processes. This is
equally applicable for shared
services
An information risk appetite
statement
An Accreditation Policy which
defines the strategic approach to
proportionality of accreditation
and re-accreditation within the
Department or Agency
An Education and Training Policy
for all mandatory and specialist
security roles
A fundamental principle of information risk
management is technical risk assessment,
and all Departments and Agencies must
conduct a technical risk assessment for
the Confidentiality, Integrity and
Availability of their ICT systems or
services in line with the stepped
methodology presented in the Supplement
to this Standard: HMG IA Standard Nos. 1
& 2 – Supplement (Supplement),
Technical Risk Assessment and Risk
Treatment (reference [b]). Any technical
risk assessment must include a business
impact and threat assessment so that
Departments and Agencies can identify
and value their information assets and
understand the threats that they face.
A technical risk assessment, whilst
important, is a precursor to effective
information risk management. The
management of information risk through
treatment, (the selection and
implementation of controls), is where
organisations should direct their
resources, (especially when they are
constrained).
Organisations should note that the risks
they face are not only technical in nature;
they will also have to manage financial,
people, and physical risk amongst others.
Often risks are interrelated so they should
not be assessed or managed in isolation.
It is recommended that any technical risk
assessments are supported and
contextualised by business activities and
wider risk management processes such as
other corporate risk appetite(s) and
Departmental risk registers. Where
appropriate the output of wider risk
management processes and business
context should contribute to the overall
understanding of risk amongst the
organisation’s stakeholders.
The outcome of the technical risk
assessment provides organisations with
an understanding of the nature and
severity of the technical risks that their
information assets face, which results in a
more informed, and therefore
proportionate and appropriate approach to
their ongoing management.
Departments and Agencies must produce
and communicate an Accreditation Policy.
By establishing and communicating an
Accreditation Policy the SIRO, in
conjunction with the Accreditor has the
ability to define a strategic approach to
accreditation and re-accreditation, which
can for example, include the terms for
proportionality and the requirements of the
document set, (the RMADS); this is critical
for cost savings and business objectives to
be realised. There is no reason why simple
systems cannot have a short and basic
RMADS.
It is critical that the Accreditor or their
delegated authority is involved at project