IRRS SRI levels
| SRI level | Risk description and representative scenario |
|---|---|
| SRI 1 – very low risk | Operational impact is negligible. Effects are isolated, non-sensitive and quickly reversible, with no strategic consequences. Example: benign adware detected; no sensitive data accessed |
| SRI 2 – low risk | Localised impact with limited propagation. May reveal hygiene issues but poses no critical threat. Example: misconfigured antivirus suppresses alerts, and minor malware is quarantined without incident |
| SRI 3 – moderate risk | A risk of escalation or lateral movement exists. Impact is significant if mishandled, though not immediately urgent. Example: a phishing link captures privileged credentials, but the account remains unused |
| SRI 4 – high risk | Causes business disruption or data exposure. Requires a timely and coordinated response to mitigate legal or reputational consequences. Example: insider exports sensitive customer data via USB |
| SRI 5 – very high risk | Catastrophic scenario involving widespread compromise, system unavailability or organisational viability risk. Example: ransomware spreads across core servers with exfiltration and extortion |
| Risk description and representative scenario | |
|---|---|
| Operational impact is negligible. Effects are isolated, non-sensitive and quickly reversible, with no strategic consequences. Example: benign adware detected; no sensitive data accessed | |
| Localised impact with limited propagation. May reveal hygiene issues but poses no critical threat. Example: misconfigured antivirus suppresses alerts, and minor malware is quarantined without incident | |
| A risk of escalation or lateral movement exists. Impact is significant if mishandled, though not immediately urgent. Example: a phishing link captures privileged credentials, but the account remains unused | |
| Causes business disruption or data exposure. Requires a timely and coordinated response to mitigate legal or reputational consequences. Example: insider exports sensitive customer data via | |
| Catastrophic scenario involving widespread compromise, system unavailability or organisational viability risk. Example: ransomware spreads across core servers with exfiltration and extortion |
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.