| * Risk Level |
| Level | Personal Safety | Reputation damage (Loss of public confidence, negative PR) | Violation of Statutory and Legal (Non-compliance with laws / fines, penalties / breach of contract, etc.) | Direct financial loss (Revenue, interest costs and fines, additional costs of work, etc.) | Damage of customer service (termination of customer service, reduction, etc.) |
| 1.minimum | It does not affect personal safety. | The degree of pain that gives the individual the least amount of pain | No impact on Statutory and Legal requirements | mere implication | The possibility of reduce personal service |
| 2.low | The degree of anxiety or discomfort to the individual | Low-level media report | Problems raised by senior management can not meet legal and regulatory requirements | Acceptable impact | The possibility of reducing service to many people |
| 3.medium | The degree of risk to the safety of each individual | Media report on short-term interest | The results of the investigation can not meet the legal and regulatory requirements | High impact | The possibility of service interruption |
| 4.high | Very dangerous to personal safety. | Long-term sustainable media coverage | Violation of Statutory and Legal requirements | Fatal impact | The possibility of losing customer's trust |
| score |
|
|
|
|
|
|
| * Decision (L)
/ L : Less than 9 , M : 10 ~ 15 , H : More than 16 | | * Complexity level |
| Level | Supplier Chain
(Number, cost, time, delivery date) | Organizational size and number of processes
(Organization, stakeholder relationship) | Number of installed servers
(Probability of occurrence of failure, degree of influence) |
| 1.minimum | The degree of self-management | The degree of self-management | The degree of self-management |
| 2.low | Must have minimum staff | Must have minimum staff | Must have minimum staff |
| 3.medium | Must have a minimum management department | Must have a minimum management department | Must have a minimum management department |
| 4.high | The entire company must be managed. | The entire company must be managed. | The entire company must be managed. |
| score |
|
|
|
|
| * Decision (L)
/ L : Less than 5 , M : 6 ~ 9 , H : More than 10 | | * Total scores (L)
(1. Risk Level + 2. Complexity level) : L : Less than 15 / M : 16 ~ 25 / H : More than 26 |
| * ISO27001 Questionnaire | With reference to the required scope of certification, please put an 'X' to make a choice for the following factors.
Only one choice for each factor is required. |
| | Business complexity : example : low (3 ~ 4) / medium (5 ~ 6) / high (7 ~ 9) |
| Item | score | Factors related to business and organization | Answer X |
| Business type and regulatory requirements | 1 | Organization works in non-critical business sectors (low risk business sector) and non-regulated. Only little sensitive or confidential information. / Do not work in critical business sectors.
(Critical business sectors are sectors that may affect critical public services that will cause risk to health, security, economy, image and government ability to function that may have a very large negative impact to the country: e.g. nuclear sector, chemical and pharmaceutical sector, electrical, gas and water sector, telecoms sector, transport and logistic sector, aerospace sector, railway sector, banking, finance, assurance sector, public administration sector, healthcare sector). |
|
| 2 | Organization works in non-critical business sectors (low risk business sector) with high (specific) regulatory requirements. Sensitive or confidential information. |
|
| 3 | Organization works in critical business sectors (high risk business sector). Higher amount of sensitive or confidential information. |
|
| Process and task | 1 | Few critical assets (in terms of confidentiality, integrity, availability). Only one key business process with few interfaces and business units involved. |
|
| 2 | Some critical assets (in terms of confidentiality, integrity, availability). Some key complex processes (2 or 3) with few interfaces and business units involved. |
|
| 3 | Many critical assets (in terms of confidentiality, integrity, availability). More than 3 key complex processes with many interfaces and business units involved. |
|
| Management system establishment level | 1 | ISMS fully implemented over several years. Internal audits, management reviews and effective continual improvement activities well established. / Established the ISMS system recently |
|
| 2 | ISMS fully implemented ISMS over some months. Internal audits, management reviews and effective continual improvement activities carried out once. |
|
| 3 | No other management system implemented at all, the ISMS is new and not completely established.
(e.g. lack of management system specific control mechanisms implemented, immature continual improvement processes, ad hoc process execution. Limited number of records) |
|
|
| | | IT complexity : example : Low (3-4) / Medium (5-6) / High (7-9) |
| Item | score | Factors related to IT Environment | Answer
X |
| IT infrastructure complexity | 1 | Few and/or highly standardized IT platforms, servers, operating systems, databases, networks, etc. |
|
| 2 | Several and/or different IT platforms, servers, operating systems, databases, networks |
|
| 3 | Multiple different IT platforms, servers, operating systems, databases, networks |
|
| Outsourcing and provider dependencies, including cloud services | 1 | Little or no dependency on outsourcing or critical suppliers./ No outsourcing |
|
| 2 | Some dependency on outsourcing or suppliers, related to some but not all important business activities. |
|
| 3 | High dependency on outsourcing or suppliers, large impact on important business activities. |
|
| Information system development | 1 | None or a very limited in-house systems/applications development. Use of standardized software platforms./ No Development. |
|
| 2 | Some in-house or outsourced systems/applications development for some important business purposes. Use of standardized software platforms with complex configuration/parameterization. |
|
| 3 | Extensive in-house or outsourced systems/applications development for important business purposes. |
|
|
| | | Example for audit time calculation |
| IT complexity |
| L (3 ~ 4) | M (5 ~ 6) | H (7 ~ 9) |
| Business complexity | H (7 ~ 9) | +5% ~ +20% | +10% ~ +50% | +20% ~ +100% |
| M (5 ~ 6) | -5% ~ -10% | 0% | +10% ~ +50% |
| L (3 ~ 4) | -10% ~ -30% | -5% ~ -10% | +5% ~ +20% |
|
|