ISO 27001Risk

Risk assessment for DR: the method we follow

A blended qualitative-quantitative method that yields a usable risk-impact matrix in four hours — not another PDF to file away.

2 min read

TL;DR

Risk assessment for DR in 4 hours: identify critical systems, map threats, score impact and likelihood, decide treatment. Output: a 5×5 matrix with prioritised risks. ISO 27005 + ISO 31000 as reference framework.

The 4 steps

1. Asset identification (45 min)

List critical systems with metadata:

  • name, environment, owner;
  • data type (personal, financial, operational);
  • business value (high, medium, low);
  • ICT dependencies.

Output: spreadsheet with 10-30 assets.

2. Threat mapping (60 min)

For each asset identify 3-5 relevant threats:

  • hardware failure;
  • ransomware;
  • human error;
  • targeted attack;
  • physical event (fire, flood);
  • external vendor failure.

For DR the last four matter most.

3. Impact and likelihood scoring (90 min)

1-5 scale for each:

  • impact: negligible, low, medium, high, critical;
  • likelihood: rare, unlikely, possible, likely, certain.

Risk score = impact × likelihood.

4. Risk treatment (45 min)

For each risk above a threshold (typically score ≥ 12):

  • accept (motivated in writing);
  • mitigate (concrete actions and owners);
  • transfer (insurance);
  • avoid (architecture change).

Output: risk matrix + treatment plan.

Mistakes to avoid

  • score with 50 entries: too detailed, paralyses. Stay at 10-30 assets.
  • "estimated" likelihoods without data: use company historical data and industry benchmarks.
  • not updating: valid 12 months, then redo.

Half-day usable template

Five columns in a spreadsheet:

| Asset | Threat | Impact (1-5) | Likelihood (1-5) | Score | Treatment | |---|---|---|---|---|---| | ERP | Ransomware | 5 | 4 | 20 | Mitigate: DR + EDR | | File server | Storage failure | 3 | 3 | 9 | Accept |

Working example in 3-4 hours.

Sefthy as response to many mitigations

For all risks mitigated by DR (most above impact 3), Sefthy is a direct answer. Document "mitigation: Sefthy DR PRO with 10-min RTO, contract no. X".

FAQ

Is ISO 27005 mandatory?

No, it is a guideline. ISO 31000 is the general risk framework. Your methodology can vary as long as it is consistent.

How many target risks?

For an SMB: 50-150 total risks, 10-20 above the "high" threshold.

For BIA, Business Impact Analysis. For A.5.30, Annex A.5.30.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo