Security Risk Assessment and Audit (SRAA) | 安全風險評估及審核 | 安全风险评估及审计

Content (updated 2025.09)

| Request for SRAA Quote | 要求 SRAA 報價
| What is SRAA and Who need to Care ? | SRAA 是甚麼及誰要識 ?
| How to Conduct SRAA ? | SRAA 怎麼做 ?
| Our SRAA Services | 我們的 SRAA 服務
| Methodology, Process Flow and Duration Ref. | 方法, 流程及需時參考
| Updates You Should Know | 務必知悉的改動
| Further Reading | 延伸閱讀

Quote For SRAA

Please use the following form to provide us your requirements for quote; Or you may go CONTACT US page to reach us if you need assistance.

What is SRAA and Who need to Care ?

Hong Kong Government defined a full set of policy, standards and guidelines in IT Security ( see Hong Kong Government – IT Security Policy & Guidelines) for her Bureaus / Departments (B/D) and government-funded organizations and programs to observe.

Prelude : Official HKARG SRAA Introduction Video (cantonese)

官方 (infosec.gov.hk) 製作的 SRAA 簡介影片 (粵語版本) – this video was produced and copyrighted by infosec.gov.hk; it was accessible by public but is removed from web-site and youtube by now. However, the concept is still valid and up-to-date and is recommended for initial-understanding

SRAA stands for Security Risk Assessment and Audit, which is “an ongoing process of information security practices to discovering and correcting security issues. They involve a series of activities as shown below. They can be described as a cycle of iterative processes that require ongoing monitoring and control.

source: HKGARG ISPG-SM01 | An Iterative Process of Security Risk Assessment and Audit

IT Security Risk Assessment (SRA) is the process to identify, analyse and evaluate the security risks, and determine the mitigation measures to reduce the risks to an acceptable level.

IT Security Audit (SA) is the review process to ensure (i) security measures and configurations comply with IT security policies, standards, and requirements; (ii) IT security treatment recommendations are properly implemented, and risk is appropriately mitigated

How to Conduct SRAA ?

Although the term Security Risk Assessment or Security Audit seems generic, recommended approaches to conduct SRAA is defined in Practice Guide for Security Risk Assessment & Audit (ISPG-SM01), available for download here – Hong Kong Government – IT Security Policy & Guidelines)

Effective ISPG-SM01 revision 2.0 (April 2024), there are major updates to [i] clarify some significant mis-understandings, and [ii] bring up new components of SRAA activities to observe.
[i] Significant mis-understandings of SRAA includes:
- the belief of MUST conduct both SRA and SA together and deliver a 2-in-1 SRAA report
- the belief of conducting single SRAA activity to cover both risk-identification and compliance checks in Software Development Life Cycle (SDLC)
- assume SRAA is just Vulnerability Scan or Penetration Testing ( A number of SRAA consultants still stated incorrectly in their service offerings, telling “SRA typically covers Penetration Testing process” )
[ii] new components of SRAA activity to observe are detailed here , recommend to read it first.

Our SRAA Services

We are the registered sub-contractor of Hong Kong Government in Information security, privacy assessment and independent testing services (category B); under the program of Standing Offer Agreement for Quality Professional Services 5 (SOA-QPS5) – see our full profile here.
We offer both Security Risk Assessment (SRA) and Security Audit (SA) as 3rd party independent assessor / auditor to fulfill Hong Kong Government’s requirements on SRAA.
We have been conducting SRAA services since 2019, served parties include:
- Government Department,
- Statutory Body
- Non-Profit-Organisation (NGO),
- District Health Centre (DHC),
- Government-Funded Organization,
- Government-Funded Program,

Although methodology is standardized, scale & scope / target varies in different types of projects. The following catalogue lists out samples of our offerings:

Application specific
- – Web based Application
- – Mobile App (Android or IOS, or both)
- – Legacy Client / Server based
- – IOT device

Network specific
- – Public Cloud infra-structure (Azure, AWS, etc.)
- – On-Premises External Network (Internet Facing)
- – On-Premises Internal Network
- – On-Premises Wi-Fi Network
- – Hybrid Network including On-Premises Network & external IOT Device

Platform Design & Implementation specific
- – Microsoft 365 & SharePoint
- – ERP / CRM system
- – Portal / CMS based (e-Learning / e-Leave ) system
- – Membership management system

Infra-structure specific
- – Switch, Firewall, Intrusion Detection / Prevention System, End-point devices
- – SIEM / Log Management System
- – Central Control & Monitoring System
- – Security Cabinet integration with facilities such as CCTV, RFID, access lock
- – Activity Tracking / Anti-wandering System (Health-care specific)
- – Indoor Positioning System (Health-care specific)

Technology specific
- – Dynamic Application Security Testing (DAST) – automatic application security scan
- – Static Application Security Testing (SAST) – application source code security scan
- – Credential Scan – automatic application / network scan with given access privileges
- – Penetration Test (in either White-box / Black-box / Grey-box approach)

Methodology, Process Flow and Duration Reference

SRA (Security Risk Assessment) Methodology

Source: HKSARG IPSG-SM01 | General Security Risk Assessment Steps (with modification for concept illustration)

* Important *

The project scope and objectives can influence the analysis methods and types of deliverables of the security risk assessment.

The scope of a security risk assessment may cover the security measures of individual systems, the interactions between these systems, and the overall security posture of the system infrastructure.

The general practice is to identify security risk based on the Risk Identification Steps stated in SRAA Activities table above.

SA (Security Audit) Methodology

source: HKSARG ISPG-SM01 | Auditing Steps

* Important *

Audit scope and objectives should be clearly defined and established, requirements should be identified and agreed with security auditors before proceeding.

Scope should be specific, some examples from ISPG-SM01 for reference are:

– Internet security
– General security of an internal network
– Tier 2 information systems
– Hosts security
– Network server’s security such as web servers, email servers etc.
– Network components and devices such as firewalls, routers etc.
– General security of a computer room
– Network services such as directory services, mailing services, remote access
– System documentation and records

For departmental SA or non-specific SA scope, the general practice is to conduct audit on the scale & effectiveness of ISMS defined by S17 or Organization’s own ISMS Framework ( Policy / Standards / Procedures )

SRAA Process Flow and Duration Reference

Duration Reference	List of Activities	Description
n/a	Request for Quote (RFQ)	Person who is interested in SRAA service will be provided with our SRAA Request-For-Quote (RFQ) Input Form. SRAA RFQ Input Form could help inquiring party to get understanding of the SRAA service we propose and the associate process in need. By inputting the required information on the Form, Quotation could be provided based on selected service & scope
2-4 day	Testing & Interview / Info. Gathering Schedule Alignment	Agree on assessment / remediation / validation schedule and duration of services.
	Engagement of SRA / SA starts
depends on assessed party	Checklists-For-Response (CFR) Submission (by assessed party)	Assessed party will complete CFR and submit to assessor with supported evidence (if applicable) CFR form is the tool for assessor & assessed party to communicate and agree upon the types and applicable scope of SRA / SA.
depends on assessed party	In-scope information assets (IA) and information systems (IS) (by assessed party)	Included in CFR is IA & IS inventory form – which should include sub-system HW & SW components, firmware & patch-level, and so on.
	_{^{Below is for SRA only}}
7-14 day	Risk Identification (by assessor)	Identify and document potential risks that could impact a system.
	[RI-1] General Control Review	General Control Review based on review on submitted CFR & support evidence; + communication with stakeholder(s) + site inspection (if applicable)
	[RI-2] Secure-by-Design & Configuration Review	Secure-by-Design & Config. Review based on Project Design Spec. in Security Implementation + support evidence OR based on response & evidence in CFR
	[RI-3] Vulnerability Assessment & Pen-Test (VAPT)	VAPT: – Vuln Assessment – Penetration Testing
	[RI-4] Source Code Security Scan	(Optional, applicable if assessed party has ownership of custom developed software code.) To save cost, it is acceptable for assessed party to conduct this using well-accepted SAST tool + proven secure coding standards. Or assessed party may choose to have assessor to cover them in SRAA services, at extra cost.
	Risk Analysis (by assessor)	Perform impact and likelihood assessment to determine the risk result.
	Risk Evaluation (by assessor)	Compare the result of the risk analysis with the established risk criteria to determine where additional action is required.
	Submission of Deliverables for Acceptance (by assessor)	Produce the – security risk assessment report, – risk treatment plan, – system risk register to state the findings and follow-up actions.
	^{_{Above is for SRA only}}
	_{^{Below is for SA only}}
	Compliance Check (by assessor)	Conduct compliance checking by documentation review, site visits, multi-level interviews / group discussion, surveys, etc. against S17 (not G3) and departmental security policy or policies that are relevant and within the scope of security audit (SA).
	Vulnerability Assessment & Pen-Test (VAPT) (by assessor)	VAPT: – Vuln Assessment – Penetration Testing
	Submission of Deliverables for Acceptance (by assessor)	Produce the – security audit report to state the findings and follow-up actions.
	^{_{Above is for SA only}}
	_{^{Below is for Both SRA & SA}}
depends-on-client	Risk Mitigation (by assessed party)	Arrange the practices to address and to reduce the impact of potential risks to an acceptance risk level.
	Risk Mitigation Evidence / Proof + Design Spec. Documentation Revision (by assessed party)	Note – Identified vulnerabilities / risks could be applicable to other in-scope but not-detected implementation. Remediation Implementation party should review and revise their security design document, and implement remediations on all applicable areas in-scope.
2-4 day	Remediation Validation	Produce the – SRA Remediation Validation report (if applicable) to validate the remediation implementation works
Duration Reference	List of Activities	Description