ISO 9001 Cl. 7.5 • ISO 27001 Cl. 8.2 • UK GDPR / DPA 2018 — Protection of client and business data during engineering operations
Excel format for operational use — editable risk scores, additional hazards, print-ready
| # | Activity / Process | Foreseeable Hazard | Who / What Affected | Existing Controls | C | L | R | Exposure | New Controls & Further Action | C | L | R | Exposure |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Handling sensitive client design data | Unauthorised access to client CAD files, 3D scan data, proprietary process information; data viewed by unauthorised personnel; breach of contractual confidentiality | Client intellectual property; CRGI business reputation; contractual obligations; professional indemnity exposure | • Role-based access control on SharePoint/OneDrive • NDA in place with all staff • Client data segregated by project folder • Annual ISMS awareness training |
4 | 3 | 12 | Moderate | • Implement sensitivity labels on all client files • Quarterly access review per ISMS REG06 • Data classification applied at point of receipt • Client-specific retention periods documented • Project data purged within 30 days of project closure unless contractually required |
4 | 1 | 4 | Low |
| 2 | Data transfer to and from client sites | Data interception during transfer; loss of USB drives or portable storage containing scan data; unencrypted email attachments; man-in-the-middle attacks on public Wi-Fi | Client data in transit; project deliverables; scan point cloud data (often >10GB); personal data where project involves personnel records | • Encrypted file transfer (SFTP/SharePoint) • BitLocker encryption on all CRGI devices • USB drives encrypted (AES-256) • No personal email for client data • VPN mandatory on public networks |
4 | 3 | 12 | Moderate | • Mandatory use of CRGI-approved transfer methods only • USB devices registered in ISMS asset register • Large scan data transferred via client-approved portal where available • Auto-delete confirmation after receipt • No public Wi-Fi without VPN active |
4 | 1 | 4 | Low |
| 3 | Phishing and social engineering attacks | Credential theft via phishing emails; impersonation of clients or senior management; malicious attachments targeting engineering software; invoice redirection fraud | All CRGI staff; business email accounts; access to client systems; financial accounts | • Microsoft Defender for Office 365 • MFA enforced on all accounts • Phishing awareness in ISMS training • Suspicious email reporting procedure |
4 | 3 | 12 | Moderate | • Quarterly phishing simulation exercises • Automated email banner for external senders • Conditional access policies (block sign-in from non-compliant devices) • Report and review all incidents via HPROC15 • Verbal confirmation required for any change to payment details |
4 | 1 | 4 | Low |
| 4 | Loss or theft of mobile devices | Laptop, tablet or phone containing client data lost or stolen during travel to client sites; vehicle break-in; device left at client premises | Client data on devices; CRGI credentials; access tokens for cloud services; UK GDPR personal data breach notification obligation | • BitLocker full-disk encryption • Remote wipe capability via Intune • Screen lock policy (5 min) • Devices not left visible in vehicles |
4 | 2 | 8 | Moderate | • Geo-fencing alerts for devices leaving UK • Immediate incident reporting procedure (within 1 hour to Ops Manager, 72 hours to ICO if personal data involved) • Quarterly device audit against asset register • Client notification protocol for data breach per contract terms |
4 | 1 | 4 | Low |
| 5 | Cloud storage misconfiguration | Incorrect sharing permissions on SharePoint/OneDrive; external sharing enabled for sensitive folders; orphaned access after project completion; accidental public sharing of client designs | Client data stored in cloud; shared project workspaces; archived project data | • SharePoint admin controls • External sharing disabled by default • Project folder structure template • Annual access review |
3 | 3 | 9 | Moderate | • Automated sensitivity label enforcement • External sharing requires Ops Manager approval with time-limited link • Project closure checklist includes access revocation • DLP policies for sensitive file types (.dwg, .rvt, .rcp, .e57, .pts) • Monthly orphaned permissions audit |
3 | 1 | 3 | Very Low |
| 6 | Client confidentiality breach | Inadvertent disclosure of one client’s information to another; design details visible on screen during video calls; cross-contamination between project folders; metadata leakage in issued documents | Client relationships; contractual obligations; CRGI reputation; potential legal liability; PI insurance claims | • Separate project folders per client • Clean desk/screen policy for video calls • NDA obligations briefed at induction • Confidentiality clause in contractor agreements |
5 | 2 | 10 | Moderate | • Virtual background mandatory for video calls in shared spaces • Second monitor discipline — client-facing content on primary only • Annual NDA refresher • Metadata scrub before external document issue • Incident reporting via HPROC15 for any suspected breach |
5 | 1 | 5 | Low |
| Likelihood ↓ / Consequence → | 1 Negligible | 2 Minor | 3 Moderate | 4 Major | 5 Catastrophic |
|---|---|---|---|---|---|
| 5 Almost Certain | 5 | 10 | 15 | 20 | 25 |
| 4 Likely | 4 | 8 | 12 | 16 | 20 |
| 3 Possible | 3 | 6 | 9 | 12 | 15 |
| 2 Unlikely | 2 | 4 | 6 | 8 | 10 |
| 1 Rare | 1 | 2 | 3 | 4 | 5 |
HPROC01 (Risk Assessment Procedure): any hazard scoring High (13–16) or Very High (17–25) after existing controls must be escalated to the CEO for formal risk acceptance before work proceeds. All residual risks are recorded in HREG01 (Risk & Opportunity Register). OH&S hazards feed into HREG03 (Hazard Register) and environmental aspects into HREG02 (Environmental Aspects Register).
HFORM20 (Risk Assessment Acknowledgment Form) and tracked in HREG06 (Training & Competency Matrix).