Information

  • Audit Title

  • Document No.

  • Client / Site

  • Conducted on

  • Prepared by

  • Location
  • Personnel

General information

  • Completion date of business impact risk assessment

  • Risk assessment owner

  • Signature of owner

  • Risk assessment facilitator

  • Signature facilitator

  • Corporate Information Security Officer

  • Signature CISO

  • General notes or remarks

IT Tool profile

  • System name

  • System owner

  • Business context

  • Description and main business function

  • Status of the system

  • Age of the system

  • Scope of the system

  • Contribution to the business (Financial targets, Operational excellence, Customer Satisfaction)

  • Number of users

  • User trend

  • Number of transactions per week (Normal operation)

  • Number of transactions per week (Peak)

  • Transaction trend

  • The quality of the end-product is directly linked to reliability of this system?

  • Validation needed for the system (cGxP)

Risk Assessment: Confidentiality

  • Please fill in the business risk if the information in the IT tool would be non-protected and assessable by non-authorized persons. Do NOT take existing controls in the system in your consideration.

  • Overall impact (see below topics financial, operational, customers, employees. Weakest link defines the overall score)

  • General notes or remarks on confidentiality risks

  • Overall financial impact (see below, weakest link defines the overall score)

  • Financial: Loss of sales, orders or contracts

  • Financial: Loss of tangible assets

  • Financial: Penalties/legal liabilities

  • Financial: Unforeseen costs

  • Financial: Depressed share price

  • Overall operational impact (see below, weakest link defines the overall score)

  • Operational: Loss of management control

  • Operational: Loss of competiveness

  • Operational: New ventures, products, entrance in new markets, held up

  • Operational: Breach of operational standards

  • Overall customer related impact (see below, weakest link defines the overall score)

  • Customer: Delayed delivery to customers or clients

  • Customer: Loss of customers or clients

  • Customer: Loss of confidence by key institutions

  • Customer: Damage to reputation

  • Overall employee related impact (see below, weakest link defines the overall score)

  • Employee: Reduction in staff moral/productivity

  • Employee: Injury or death

Risk Assessment: Integrity

  • Please fill in the business risk if the information in the IT tool would be unreliable and unauthorized (fraud) are possible. Do NOT take existing controls in the system in your consideration.

  • Overall impact (see below topics financial, operational, customers, employees. Weakest link defines the overall score)

  • General notes or remarks on integrity risks

  • Overall financial impact (see below, weakest link defines the overall score)

  • Financial: Loss of sales, orders or contracts

  • Financial: Loss of tangible assets

  • Financial: Penalties/legal liabilities

  • Financial: Unforeseen costs

  • Financial: Depressed share price

  • Overall operational impact (see below, weakest link defines the overall score)

  • Operational: Loss of management control

  • Operational: Loss of competiveness

  • Operational: New ventures, products, entrance in new markets, held up

  • Operational: Breach of operational standards

  • Overall customer related impact (see below, weakest link defines the overall score)

  • Customer: Delayed delivery to customers or clients

  • Customer: Loss of customers or clients

  • Customer: Loss of confidence by key institutions

  • Customer: Damage to reputation

  • Overall employee related impact (see below, weakest link defines the overall score)

  • Employee: Reduction in staff moral/productivity

  • Employee: Injury or death

Risk Assessment: Availability

  • Please fill in the critical timeframe when the unavailability of the IT tool becomes a very high business risk. Do NOT take existing controls in the system in your consideration.

  • Overall critical timeframe and hence risk (weakest link principle)

  • General notes or remarks on availability risks

  • Overall financial impact (see below, weakest link defines the overall score)

  • Financial: Loss of sales, orders or contracts

  • Financial: Loss of tangible assets

  • Financial: Penalties/Legal liabilities

  • Financial: Unforeseen costs

  • Financial: Depressed share price

  • Overall operational impact (see below, weakest link defines the overall score)

  • Operational: Loss of management control

  • Operational: Loss of competiveness

  • Operational: New ventures, products, entrance in new markets, held up

  • Operational: Breach of operating standards

  • Overall customer related impact (see below, weakest link defines the overall score)

  • Customer: Delayed deliveries to customers or clients

  • Customer: Loss of customers or clients

  • Customer: Loss of confidence by key institutions

  • Customer: Damage of reputation

  • Overall employee related impact (see below, weakest link defines the overall score)

  • Employee: reduction in staff morale/productivity

  • Employee: Injury or death

(Generic) Controls already in place

  • Confidentiality controls (describe)

  • Effective information security policies like clear desk, document classification, etc. in place?

  • Non disclosure agreements with individual external hires in place who can access the information?

  • Integrity controls (describe)

  • Segregation of Duties/Four eyes principle in place?

  • Availability controls (describe)

  • Business Continuity plan available (and tested)?

  • How is the effectiveness of these controls being monitored?

  • Are above controls sufficient and the remaining risks acceptable?

(Generic) controls already in place (To be filled out or provided by IT service provider)

  • Control framework in place?

  • Audits on effectiveness being executed?

  • Auditor

  • Audit type

  • Audit notes/general

  • Confidentiality controls (describe, if not mentioned below)

  • ISO 27001 compliant?

  • Access control with username and password?

  • Password strength

  • Integrity controls (describe if not mentioned below)

  • Segregation of duties and privileged user controls

  • Availability controls (describe)

  • Disaster Recovery Plan available and tested?

  • Redundant system?

  • Redundant data-center?

  • Backup in place and tested?

  • Are above controls sufficient and the remaining risks acceptable?

Follow up actions

  • Execute a follow-up, detailed control selection assessment?

  • Describe follow-up actions

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.