Risk Assessment Framework
Last Updated: 2026-02-12 Standard: ISO 27001:2022 -- Clause 6.1 / Clause 8.2 Review Cycle: Annually and after significant changes
1. Purpose#
This framework defines the methodology used by cloak.business to identify, assess, evaluate, and treat information security risks. It ensures that risks to the confidentiality, integrity, and availability of information assets are systematically managed and reduced to acceptable levels.
2. Scope#
This framework applies to all information assets within the cloak.business ISMS, including:
- Platform services and application components
- Infrastructure and hosting environments
- Customer data processed by the platform
- User accounts and authentication systems
- Third-party services and sub-processors
- Personnel and organizational processes
3. Methodology#
Risk Formula#
Risk is assessed using the standard formula:
Risk = Likelihood x Impact
Each factor is scored on a 1--5 scale, producing a risk score from 1 (lowest) to 25 (highest).
Likelihood Scale#
| Score | Level | Description |
|---|---|---|
| 1 | Very Low | Unlikely to occur; no history of occurrence |
| 2 | Low | Could occur but not expected; rare historical occurrence |
| 3 | Medium | Possible; has occurred in similar organizations |
| 4 | High | Likely to occur; has occurred before in this context |
| 5 | Very High | Expected to occur; frequent or ongoing threat |
Impact Scale#
| Score | Level | Description |
|---|---|---|
| 1 | Negligible | No measurable impact on operations, data, or reputation |
| 2 | Minor | Minimal impact; quickly recoverable with no data exposure |
| 3 | Moderate | Noticeable impact on service or limited data exposure; requires active response |
| 4 | Significant | Major impact on service availability or customer data; regulatory implications |
| 5 | Severe | Critical breach of customer data, extended outage, or major regulatory consequences |
Risk Levels#
| Risk Score | Level | Required Action |
|---|---|---|
| 1--4 | Low | Accept and monitor; no immediate action required |
| 5--9 | Medium | Implement controls within defined timeline; monitor regularly |
| 10--15 | High | Implement controls as a priority; management attention required |
| 16--25 | Critical | Immediate action required; escalate to management; controls must be implemented before proceeding |
4. Risk Categories#
Technical Risks#
Risks arising from the technology stack, software vulnerabilities, and system architecture:
- Application vulnerabilities (injection, authentication flaws, misconfiguration)
- Dependency vulnerabilities in third-party libraries
- Cryptographic weaknesses or key management failures
- System misconfiguration or hardening gaps
- Data processing errors or corruption
Operational Risks#
Risks arising from day-to-day operations and processes:
- Service outages or degraded performance
- Backup failures or data loss
- Monitoring gaps or delayed incident detection
- Patch management delays
- Human error in configuration or deployment
Compliance Risks#
Risks related to regulatory and contractual obligations:
- GDPR non-compliance (data processing, retention, subject rights)
- ISO 27001 control deficiencies
- Contractual SLA breaches
- Inadequate breach notification procedures
- Documentation gaps
Third-Party Risks#
Risks introduced through external service providers and dependencies:
- Sub-processor data handling practices
- Vendor service outages affecting platform availability
- Supply chain compromise
- Changes in third-party terms or capabilities
Personnel Risks#
Risks related to human factors:
- Insufficient security awareness
- Unauthorized access by personnel
- Knowledge concentration (key person dependency)
- Social engineering attacks
5. Risk Treatment Options#
When a risk exceeds the acceptable threshold, one of the following treatment strategies is applied:
| Option | Description | When Used |
|---|---|---|
| Mitigate | Implement controls to reduce likelihood or impact | Most common; risk can be reduced to acceptable level with reasonable effort |
| Accept | Acknowledge the risk without further action | Risk is within acceptable threshold or cost of mitigation exceeds potential impact |
| Transfer | Shift risk to a third party (e.g., insurance, outsourcing) | Risk can be effectively managed by a specialized third party |
| Avoid | Eliminate the activity or condition that creates the risk | Risk is unacceptable and cannot be adequately mitigated |
All treatment decisions are documented with justification and approved by management.
6. Key Risk Areas#
The following areas receive particular attention in our risk assessment process:
Data Protection#
- Confidentiality of customer data during processing
- Integrity of anonymization and detection results
- Prevention of unauthorized data access or exposure
- Compliance with data minimization and retention requirements
Availability#
- Platform service uptime and performance
- Resilience against denial-of-service conditions
- Backup and recovery capabilities
- Infrastructure redundancy
Access Control#
- Authentication strength and multi-factor adoption
- Role-based access enforcement
- Privileged access management
- Session security
Third-Party Services#
- Sub-processor security posture
- Dependency on external service availability
- Data handling practices of third parties
- Contract and SLA compliance
Cryptographic Controls#
- Encryption strength for data at rest and in transit
- Key management and rotation practices
- Certificate management and renewal
- Cryptographic algorithm currency
7. Risk Assessment Process#
Step 1: Asset Identification#
Identify and categorize all information assets within scope, including systems, data, services, and personnel.
Step 2: Threat Identification#
For each asset, identify potential threats from internal and external sources.
Step 3: Vulnerability Assessment#
Identify vulnerabilities that could be exploited by identified threats.
Step 4: Risk Evaluation#
Calculate risk scores (Likelihood x Impact) for each threat-vulnerability pair and map to risk levels.
Step 5: Risk Treatment#
Select and document treatment strategies for all risks above the acceptable threshold.
Step 6: Residual Risk Assessment#
Evaluate the remaining risk after treatment controls are applied. Ensure residual risk is within acceptable limits.
Step 7: Documentation and Reporting#
Record all findings, treatment decisions, and residual risk levels in the risk register. Report to management.
8. Review and Monitoring#
Risk assessments are conducted:
- Annually as a scheduled review of the complete risk register
- After significant changes to the platform, infrastructure, or business operations
- After security incidents to reassess affected risk areas
- When new threats emerge that may affect the risk landscape
The risk register is a living document, updated continuously as new information becomes available.
Revision History#
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-02-09 | Initial framework publication |
Document maintained by cloak.business Contact: support@cloak.business