Acme Corp — ISO 27001:2022
| ID | Risk Title | Category | Likelihood | Impact | Score | Treatment | Status | Owner | |
|---|---|---|---|---|---|---|---|---|---|
| R-001 | Insufficient access control on admin APIs | Technical | 4 | 5 | 20 Critical | Treat | In Progress | T. Richards | |
| R-002 | Data breach via third-party data processor | Vendor | 3 | 5 | 15 High | Transfer | Open | J. Cooper | |
| R-003 | Ransomware attack on workstations | Technical | 3 | 4 | 12 High | Treat | In Progress | S. Lin | |
| R-004 | Employee sharing credentials | People | 4 | 3 | 12 High | Treat | Open | HR Dept | |
| R-005 | Uncontrolled software deployment to production | Process | 3 | 4 | 12 High | Treat | In Progress | Dev Lead | |
| R-006 | Physical access to server room by visitors | Physical | 2 | 5 | 10 Medium | Treat | Open | Facilities | |
| R-007 | Loss of key personnel (single point of failure) | People | 3 | 3 | 9 Medium | Accept | Accepted | Management | |
| R-008 | Outdated backup restoration procedure | Process | 2 | 4 | 8 Medium | Treat | In Progress | IT Ops | |
| R-009 | Failure to notify data subjects of breach in time | Legal | 2 | 4 | 8 Medium | Treat | Open | DPO | |
| R-010 | Denial of Service attack on customer portal | Technical | 3 | 2 | 6 Medium | Transfer | Mitigated | CTO | |
| R-011 | SQL injection in legacy web application | Technical | 2 | 3 | 6 Medium | Treat | In Progress | Dev Lead | |
| R-012 | Supplier going out of business | Vendor | 2 | 2 | 4 Low | Accept | Accepted | Procurement | |
| R-013 | Accidental deletion of production data | Technical | 2 | 2 | 4 Low | Treat | Mitigated | IT Ops | |
| R-014 | Inadequate security awareness for new starters | People | 3 | 1 | 3 Low | Treat | Mitigated | HR Dept |