Risk management

In most cases, you can mitigate the risks to the security of information assets that your division, department or faculty accesses by responsibly complying with the University’s ‘baseline’ security standards and information handling rules, but this does not remove the need to assess and manage risk.


The University’s baseline information security standard provides a minimum set of security requirements to be met, however, it is good practice to ensure that you assess the risks associated with information security in your division, department or faculty. You may also be required to demonstrate that you have conducted a risk assessment to external parties such as funders or partners. You must ensure risk assessments are signed off by an appropriate risk or information asset owner.


To fulfil your risk management obligations:

  • Apply the University's baseline information security standards to all information systems managed by your division, department or faculty
  • Ensure that information asset handling rules are being followed (these are determined by Information Asset Owners in accordance with the baseline standards)
  • Carry out and document an annual risk assessment for your division, department or faculty and for each major change that could impact on the security of your information

The Information Security team is responsible for maintaining and acting upon a University-wide information security risk register.

An information security risk assessment should be carried out at least annually and as required to assess each significant change to your information systems, including people, processes sand technology. This can be a complex undertaking, requiring specialised knowledge and skills, so to make it easier the Security GRC team has developed some tools and guidance to simplify the process. These include:

  • The IART for capturing details of information, systems and associated risks. The Requirements of Article 30 of the GDPR are also covered
  • The TPSA for assessing information security risks associated with third party suppliers
  • The BCSA for assessing information security risks associated with internal systems

These are currently undergoing trials by early adopters, but are available for you to use on request. If you would like to use them please contact grc@infosec.ox.ac.uk.


It is University policy to:

  • Adequately manage information security risk and carry out risk assessments on IT systems and business processes where appropriate. Information security risk assessments should be:
    • Carried out on all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits
    • Repeated periodically and carried out as required during the operational delivery and maintenance of the University's infrastructure, systems and processes
    • Included in the business case for any new ICT system that may be used to store confidential information