Business context of an information system
Understand how the system fits in your organisation so you can judge how important the information is.
Stakeholders for the business context
You’ll need to meet with the business owner of the information system you’re assessing for risk. Make sure all the relevant stakeholders are involved and that everyone is on board with setting up a successful risk assessment.
Identify and define key aspects of the business context
When meeting, the business owner is responsible for identifying and defining the following points.
Official classifications of all information
Any information that is stored, processed or transmitted by the information system must be assigned an official classification.
Business processes supported
List the objectives of each business process and any secondary, dependent or supporting processes and their objectives.
Users of the system
Detail the information system’s different types of users, inside and outside your organisation, and the levels of privileges each need to do their work. For example, users can include:
- business users
- operations support staff
- members of the public
- another public organisation’s staff
- a private agency’s staff.
Security and compliance requirements
Identify the information system’s requirements for confidentiality, integrity, availability and privacy, as well as any relevant laws and regulations that need to be met by it.
Priorities for protecting information
The order of importance set by the business owner for the confidentiality, integrity, availability and privacy of the information being used with an information system.
Example template for risk assessments
The Government Chief Digital Officer (GCDO) has an example template of a risk assessment in case you need help working through the process.