Risk Assessment for System Security
System owners work with authorising officers to assess threats and risks for each system.
Plain language
System owners need to collaborate with the person responsible for authorising each system to assess what might go wrong and how to protect each specific system. This matters because if you don't understand the unique risks each system faces, you could expose your organisation to data breaches, financial losses, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners, in consultation with each system's authorising officer, conduct a threat and risk assessment for each system.
Why it matters
Without a system-specific threat and risk assessment, owners may miss key threats and weaknesses, increasing likelihood of breach and disruption.
Operational notes
Review the system threat and risk assessment with the authorising officer at least annually and after major changes; record risks, treatments and residual risk.
Implementation tips
- System owners should consult with their authorising officer to define potential threats to each system. They can do this by listing what valuable information the system holds and who might want access to it. This helps in considering various scenarios like data breaches or system failures.
- System owners should organise a meeting with the authorising officer and relevant IT staff to discuss potential risks. Begin by identifying any cases where similar systems have faced issues or breaches. Taking these examples can guide the conversation on possible weaknesses.
- The IT team should assist system owners in documenting each identified risk. Use a simple table or spreadsheet to categorise the types of risks, their potential impact, and how likely they are to happen. This documentation guides future security strategies.
- Authorising officers should approve any decisions about risk mitigation strategies. They can review the documented threats and proposed solutions, providing any additional insights or approvals needed before changes are implemented.
- System owners must review the threat and risk assessment regularly, especially when there are changes like new software updates or shifts in how the system is used. Scheduling these reviews twice a year ensures that the system remains protected against evolving threats.
Audit / evidence tips
-
Askthe system risk assessment report: Request to see the document that describes the potential threats for the system and the agreed plans to address them
Goodincludes a detailed table, endorsed by the authorising officer, showing thoughtful assessment and current risk status
-
Askmeeting notes from risk assessment sessions: Request notes or minutes from the meetings held to discuss system risks
-
Askto see the schedule or log that tracks the regular review of risks
-
Askcommunication records between system owners and the authorising officer: Request emails or memos that show regular communication about system risks and their management
-
Aska copy of any changes made to systems post-risk assessment: Request change logs that document any modifications made to address identified risks
Goodchange log will match risk assessment findings and actions taken, authorised by relevant parties
Cross-framework mappings
How ISM-1203 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| Annex A 5.7 | ISM-1203 requires system owners, in consultation with the system’s authorising officer, to conduct a threat and risk assessment for each ... | |
| Annex A 5.8 | ISM-1203 requires system owners and authorising officers to conduct a threat and risk assessment for each system | |
| Annex A 5.19 | ISM-1203 requires a threat and risk assessment for each system by the system owner with the authorising officer | |
| Annex A 5.21 | ISM-1203 requires conducting a threat and risk assessment for each system with authorising officer involvement | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.