Checklist ITSCM Risk Analysis
ITIL Process: Service Delivery - IT Service Continuity Management
Checklist Category: Checklists for IT Service Continuity Management
The risk analysis within IT Service Continuity Management collects the following data in order to assess the risks in the event of disasters:
- Critical business processes
- Name
- Purpose and objectives of the process
- Classification of the processes into criticality categories (e.g. „Marginal“, „Normal“, „Critical“, „Highly Critical“)
- Critical business data
- Name
- Type of information and usage of the data
- Classification of the data into criticality categories (e.g. „Marginal“, „Normal“, „Critical“, „Highly Critical“)
- Critical IT Services
- Name
- Dependencies of the critical business processes and data upon the IT Service (relationships between processes/ data and IT Services)
- Classification of the IT Service into criticality categories (e.g. „Marginal“, „Normal“, „Critical“, „Highly Critical“)
- Critical IT infrastructure components
- Name
- Dependencies of the critical IT Services upon the IT infrastructure components (relationships between IT Services and IT infrastructure components)
- Classification of the IT infrastructure components into criticality categories (e.g. „Marginal“, „Normal“, „Critical“, „Highly Critical“)
- Threat analysis
- For all critical infrastructure components:
- Which threats/ disaster scenarios are imaginable?
- Which consequences does the occurrence of a scenario carry?
- Which level of damage would be expected?
- How likely is the occurrence? (e.g. „Highly Improbable“, „Improbable“, „Relatively Improbable“, „Rather Improbable“, „Highly Probable“
- For all critical infrastructure components:
- Analysis of vulnerabilities
- For all critical infrastructure components:
- Which vulnerabilities, impairing the critical infrastructure components in the event of a disaster, are imaginable?
- Which consequences would a failure carry?
- Which level of damage would be expected?
- How great is the probability of occurrence? (e.g. „Highly Improbable“, „Improbable“, „Relatively Improbable“, „Rather Improbable“, „Highly Probable“
- For all critical infrastructure components:
- Priorised list of the risks (risk = occurrence probability x level of damage)
- Type of risk
- Based on which threat or vulnerability
- Risk classification, e.g. „Negligible“, „Marginal risk, temporarily tolerable“, „Increased, still temporarily tolerable risk“, „High risk, not tolerable without precautionary measures“, „Extreme risk, to be ruled out by all means“