Skip to content

RA_HO_05 — Cyber Security

Document Information

Field Value
Document Reference RA_HO_05
Issue Date 04/07/2025
Next Review 04/07/2026
Assessed By Sean Ashton (HSQE Consultant)
Approved By Aaron Mason, Director
Classification Controlled

Download this risk assessment

The page below is the canonical record. The Word document is the same content as a downloadable snapshot — use it for offline copies, paper records or sign-off briefings.

Download RA_HO_05 (.docx)

Related: APP_07 Hazard Identification Log · APP_08 OHS Hazard Assessments Register

Task/Activity

Protection against cyber threats and maintaining information security

Location

All digital work environments

Persons at Risk

  • All staff
  • Company data and systems
  • Client information
  • Supply chain partners

Hazards and Controls

Hazard Existing Controls S L R Additional Controls S L R
Phishing attacks Email filtering, basic training 4 2 🟡 8 Simulated phishing tests, advanced training 3 1 🟢 3
Ransomware Antivirus, backup systems 4 2 🟡 8 Advanced threat detection, isolated backups 3 1 🟢 3
Data theft Firewall, access controls 4 2 🟡 8 Enhanced monitoring, security awareness campaign 3 1 🟢 3
System compromise Password policies, updates 4 2 🟡 8 Zero-trust architecture, regular penetration testing 3 1 🟢 3
Weak passwords Password policy, complexity requirements 3 3 🟡 9 Password manager provision, biometric authentication 3 1 🟢 3
Unsecured Wi-Fi VPN provision, security guidance 3 2 🟡 6 Mandatory VPN use, home router security 2 1 🟢 2
Social engineering Awareness training, verification procedures 3 2 🟡 6 Enhanced training, challenge protocols 3 1 🟢 3
Supply chain attacks Vendor assessments, software controls 4 2 🟡 8 Enhanced vetting, isolated environments 3 1 🟢 3

PPE Requirements

  • Not applicable

Training Requirements

  • Security awareness training
  • Phishing identification
  • Password management
  • Incident reporting
  • Data handling procedures
  • Social engineering awareness

Emergency Procedures

  • Cyber incident response plan
  • System isolation protocols
  • Evidence preservation
  • Recovery procedures
  • External reporting (ICO, NCSC)

Monitoring

  • Security event logging
  • Threat intelligence monitoring
  • Vulnerability assessments
  • Training completion rates
  • Phishing test results

Risk Assessment Summary

Risk Scoring Matrix

  • Severity (S): 1=Negligible, 2=Minor, 3=Serious, 4=Catastrophic
  • Likelihood (L): 1=Remote, 2=Unlikely, 3=Likely, 4=Almost Certain
  • Risk Rating: 🟢 Low (1-5), 🟡 Medium (6-11), 🔴 High (12-16)

Document Control

  • All risk assessments reviewed annually
  • Update following incidents or changes
  • Approved by senior management
  • Communicated to all relevant parties
  • APP_07 Hazard Identification Log
  • MAN01_INTEGRATED MANAGEMENT SYSTEM (IMS) MANUAL
  • APP_12 Training Matrix

Risk Scoring Matrix (4 × 4)

  • Severity (S): 1 = Negligible · 2 = Minor · 3 = Serious · 4 = Catastrophic
  • Likelihood (L): 1 = Remote · 2 = Unlikely · 3 = Likely · 4 = Almost Certain
  • Risk Rating (R = S × L): 🟢 Low (1-5) · 🟡 Medium (6-11) · 🔴 High (12-16)

This RA uses the same 4 × 4 matrix applied across APP_07, APP_08 and all sister RAs for auditor consistency.

How this document is approved

This document is maintained under AMWS's continuous-compliance model. Substantive revisions are reviewed and signed off by the Directors at the standing weekly Director / HSQE compliance call (Sean Ashton, Onyx + Leanne Mason). Currency, cross-references and minor edits are checked at the monthly Onyx site visit. The annual Management Review (September) provides the strategic-level confirmation. Compliance is therefore continuous, not gated on a single annual meeting.