How we manage information security risks.

A part of our Information Security Management System.


1. Risk assessment methodology

These are definitions and rules for risk assessment and management. The methodology also defines qualitative or quantitative risk assessment, the scales for qualitative assessment, the acceptable level of risk. See Risk Assessment Report – versions 1.

2. Risk assessment implementation

IbCom approach was to list all information security risk ‘assets’, then threats and vulnerabilities related to those assets, security risk classifications, risk owner, assess the impact and likelihood for each combination of assets/threats/vulnerabilities and finally calculate the level of risk.

3. Risk treatment implementation

IbCom implemented risk controls in a priority based fashion. Not all risks are deemed equal in the organisation. A focus and priority was given to ‘unacceptable risks’.

There were four main options chosen to mitigate each unacceptable risk:

  1. Apply security controls from Annex A to decrease the risks
  2. Transfer the risk to another party
  3. Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
  4. Accept the risk (known allowable risk, monitored and controlled).

Protection & Security
Amazon Web Services (AWS) Security
AWS Compliance
AWS Penetration Testing
PGP Public Key
Information Security Management System
ibCom's ISO/IEC 27001 Statement of Applicability
SSAE-16 (ISAE 3402)
Cloud Security Alliance