Check who can approve the risk level
See your organisation’s policies to know who is authorised to accept risk at each level for an information system.
When to approve risks
Once you’ve done your risk assessment, you need someone to accept the risk in relation to a public cloud service.
How to approve risks at the right level of reporting
It’s not practical for chief executives to approve all risk assessments.
Following your organisation’s risk framework, make sure you sign off risk assessments at the right level for reporting risks. The GCDO has an example of these levels of reporting.
Previous contact with the approver
You might also have consulted the approver when:
- deciding if you need a risk discovery before using a public cloud service
- making a decision from the risk discovery.
Regardless, you still need to have their final sign-off on the completed risk assessment.
The approver signs off or declines to accept the risk
Sign-offs, also called ‘endorsements’, can be done using either:
- your organisation’s document for sign-offs
- the ‘Cloud endorsement by agency’ form (Word 97KB).
Why sign-offs are important
These sign-offs show the:
- risk assessment is complete — that is, all necessary steps have been finished
- person at the right level of reporting has accepted the risk.
Risk assessment sign-offs are not complete certification and accreditation processes
See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.
More information about risk
For analysing risks during assessments, the Government Chief Digital Officer (GCDO) has guidance about finding the:
- right scales and matrices for your organisation
- impacts of risks happening
- likelihood of risks happening
- initial risk ratings — also called overall or gross ratings
- existing controls for each risk
- final risk ratings — also called residual or net ratings.