Comprehensive information security risk assessment for [REDACTED] conducted against ISO 27005 methodology. Identifies 18 risks across 4 business units with treatment recommendations. Engagement ref. ENG-2025-0534.
Plaidnox InfoSec conducted an information security risk assessment for [REDACTED] across four primary business units: Claims Processing, Underwriting, Customer Portal, and IT Operations. The assessment applied ISO 27005 risk methodology with threat-model-driven scenario identification.
Eighteen risks were identified and evaluated. 4 risks are rated Intolerable (immediate treatment required), 8 are ALARP (As Low As Reasonably Practicable . treatment recommended), and 6 are Tolerable with monitoring. The intolerable risks all involve customer PII data handling and represent regulatory exposure under GDPR and FCA ICT risk guidance.
| Risk ID | Risk Statement | Likelihood | Impact | Rating |
|---|---|---|---|---|
| R-001 | Unauthorised access to customer PII via compromised CRM credentials | High | Critical | Intolerable |
| R-002 | Ransomware targeting claims processing database . no offline backup | Medium | Critical | Intolerable |
| R-003 | Third-party data processor breach exposing underwriting data | Medium | High | Intolerable |
| R-004 | Insider threat . privileged IT staff exfiltrating policyholder data | Low | Critical | Intolerable |
| R-005 | Customer portal DDoS disrupting claims self-service | Medium | Medium | ALARP |
| R-006 | Phishing campaign harvesting broker portal credentials | High | Medium | ALARP |
| R-007 | API integration partner sends unencrypted PII in transit | Medium | High | ALARP |
| R-008 | Cloud misconfiguration exposes actuarial modelling data | Low | High | ALARP |
| Risk | Treatment Strategy | Key Controls | Target Rating |
|---|---|---|---|
| R-001 | Reduce | Enforce MFA on CRM; implement PAM for admin accounts; quarterly access review | ALARP |
| R-002 | Reduce + Transfer | Implement offline immutable backup; cyber insurance review; test restore quarterly | ALARP |
| R-003 | Reduce | Issue security addendum to processor contracts; annual security assessment of top 5 processors | ALARP |
| R-004 | Reduce + Detect | Deploy UEBA on privileged accounts; DLP monitoring on data egress; background check refresh | ALARP |