Risk management methodology (draft)
This page defines a draft structure for risk management aligned with ISO/IEC 27001. It is intentionally conservative: it defines how we document risk, without claiming any particular risk posture or current state.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 0.1 |
| Last updated | 2025-12-24 |
| Review cadence | On methodology changes |
1. Purpose
Section titled “1. Purpose”Provide a consistent method to identify, assess, treat, and review information security risks within the defined ISMS scope.
2. Inputs
Section titled “2. Inputs”Typical inputs (use what’s in scope):
- Services and systems: link to
/services/and/infra/ - Environments and data flows: link to
/environments/ - Incidents and near-misses: link to
/policies/operations/information-security-incident-response-procedure/ - Vulnerability signals: link to
/policies/operations/vulnerability-management-procedure/
3. Risk assessment approach (draft)
Section titled “3. Risk assessment approach (draft)”3.1 Identify
Section titled “3.1 Identify”- Describe the asset/process/system in scope (link to canonical docs).
- Describe the threat scenario and potential impact.
- Record any existing controls (policy/procedure/technical control), by linking to the canonical doc page.
3.2 Analyze and evaluate
Section titled “3.2 Analyze and evaluate”Use a simple qualitative model:
- Likelihood: Low / Medium / High
- Impact: Low / Medium / High
- Risk level: combine likelihood + impact using an agreed matrix.
3.3 Treat
Section titled “3.3 Treat”For each risk, choose one treatment option:
- Reduce (add/improve controls)
- Transfer (contract/insurance)
- Avoid (stop the activity)
- Accept (document rationale)
Treatment actions should map to:
- a change (engineering/infra) and/or
- a policy/procedure update and/or
- an Annex A control entry in the SoA.