Stakeholders for the business context

You’ll need to meet with the business owner of the information system you’re assessing for risk. Make sure all the relevant stakeholders are involved and that everyone is on board with setting up a successful risk assessment.

Setting up a successful risk assessment

Identify and define key aspects of the business context

When meeting, the business owner is responsible for identifying and defining the following points.

Official classifications of all information

Any information that is stored, processed or transmitted by the information system must be assigned an official classification.

Classify information

Business processes supported

List the objectives of each business process and any secondary, dependent or supporting processes and their objectives.

Users of the system

Detail the information system’s different types of users, inside and outside your organisation, and the levels of privileges each need to do their work. For example, users can include:

• business users
• operations support staff
• members of the public
• another public organisation’s staff
• a private agency’s staff.

Security and compliance requirements

Identify the information system’s requirements for confidentiality, integrity, availability and privacy, as well as any relevant laws and regulations that need to be met by it.

Priorities for protecting information

The order of importance set by the business owner for the confidentiality, integrity, availability and privacy of the information being used with an information system.