Posted April 24, 2019
One of the benefits of having gone through the process of ISO22301 certification is that it forced us to a formal Activity Based Risk Assessment for our HQ and Primary Data Centre (PDC). In the case of our DC, the activity in question is the hosting of our IT infrastructure for external services to customers and internal services to staff. Now, if you’ve ever done a formal risk assessment, you’ll know that one of the first things you do is to identify possible hazards (or threats). The list we came up with is below. This list may not be exhaustive, but I think it covers the major risks within a Singapore context at least.
After you identify the hazards, the next step is to describe the possible effect such a hazard might have on your environment and ability to carry on the activity of providing IT services to external and internal parties.