Skip to content

RA_HO_02 — Cloud Data Management

Document Information

Field Value
Document Reference RA_HO_02
Issue Date 04/07/2025
Next Review 04/07/2026
Assessed By Sean Ashton (HSQE Consultant)
Approved By Aaron Mason, Director
Classification Controlled

Download this risk assessment

The page below is the canonical record. The Word document is the same content as a downloadable snapshot — use it for offline copies, paper records or sign-off briefings.

Download RA_HO_02 (.docx)

Related: APP_07 Hazard Identification Log · APP_08 OHS Hazard Assessments Register

Task/Activity

Managing and accessing company data via cloud platforms

Location

All locations with internet access

Persons at Risk

  • All staff
  • Clients (data subjects)
  • Company (reputational risk)

Hazards and Controls

Hazard Existing Controls S L R Additional Controls S L R
Data breaches MFA authentication, encrypted storage, access controls 4 2 🟡 8 Enhanced security training, quarterly access reviews 4 1 🟢 4
Loss of confidential information Backup procedures, retention policies 3 2 🟡 6 Automated backups, recovery testing 3 1 🟢 3
GDPR non-compliance Data protection policy, privacy notices 4 2 🟡 8 Regular audits, incident response drills 4 1 🟢 4
Unauthorized access Password policies, user permissions 4 2 🟡 8 Zero-trust architecture, privilege reviews 4 1 🟢 4
Cloud service outages Multiple cloud providers, local backups 3 2 🟡 6 Business continuity plan, redundancy systems 3 1 🟢 3
Accidental data deletion Recycle bins, version control 3 2 🟡 6 Immutable backups, deletion approval process 2 1 🟢 2
Insider threats Access logging, monitoring 4 1 🟢 4 Behavioral analytics, data loss prevention tools 4 1 🟢 4
Third-party data sharing Approved sharing protocols 3 2 🟡 6 Data classification system, sharing audit trail 3 1 🟢 3

PPE Requirements

  • Not applicable

Training Requirements

  • Data protection training
  • Cyber security awareness
  • GDPR compliance
  • Incident response procedures
  • Cloud platform security features

Emergency Procedures

  • Data breach response plan
  • ICO notification process
  • Client notification protocol
  • System isolation procedures
  • Forensic preservation steps

Monitoring

  • Yearly access reviews
  • Security audit logs
  • Compliance checks
  • Incident analysis
  • Vulnerability assessments

Risk Assessment Summary

Risk Scoring Matrix

  • Severity (S): 1=Negligible, 2=Minor, 3=Serious, 4=Catastrophic
  • Likelihood (L): 1=Remote, 2=Unlikely, 3=Likely, 4=Almost Certain
  • Risk Rating: 🟢 Low (1-5), 🟡 Medium (6-11), 🔴 High (12-16)

Document Control

  • All risk assessments reviewed annually
  • Update following incidents or changes
  • Approved by senior management
  • Communicated to all relevant parties
  • APP_07 Hazard Identification Log
  • MAN01_INTEGRATED MANAGEMENT SYSTEM (IMS) MANUAL
  • APP_12 Training Matrix

Risk Scoring Matrix (4 × 4)

  • Severity (S): 1 = Negligible · 2 = Minor · 3 = Serious · 4 = Catastrophic
  • Likelihood (L): 1 = Remote · 2 = Unlikely · 3 = Likely · 4 = Almost Certain
  • Risk Rating (R = S × L): 🟢 Low (1-5) · 🟡 Medium (6-11) · 🔴 High (12-16)

This RA uses the same 4 × 4 matrix applied across APP_07, APP_08 and all sister RAs for auditor consistency.

How this document is approved

This document is maintained under AMWS's continuous-compliance model. Substantive revisions are reviewed and signed off by the Directors at the standing weekly Director / HSQE compliance call (Sean Ashton, Onyx + Leanne Mason). Currency, cross-references and minor edits are checked at the monthly Onyx site visit. The annual Management Review (September) provides the strategic-level confirmation. Compliance is therefore continuous, not gated on a single annual meeting.