Instructions for risk analyses linked to physical security in IT spaces
On 1 December 2025, the Head of IT Services adopted the Instructions for risk analyses linked to physical security in IT spaces, SU FV-3505-25.
Responsible unit: IT Services
Contact: Fredrik Bolinder
1. Introduction
The Rules of procedure for internal governance and control (Ref. no. SU FV-3412-24) describes how risk analyses are performed at Stockholm University. The rules of procedure establish four levels of impact (negligible/mild/noticeable/serious) and probability (unlikely/possible/likely/very likely). The total risk level is calculated by multiplying the impact level by the probability level. The risk level can therefore be between 1 and 16. Risk levels of 1–6 indicate low risk, risk levels of 7–11 indicate medium risk, and risk levels of 12–16 indicate high risk.
2. . Implementation of risk analyses when planning physical security measures for IT spaces
The four impact levels correspond to the four security levels (none/basic/enhanced/high) used for the University’s information classification matrix, which are established in the Rules of procedure for the division of responsibilities and guidance related to security measures in information systems at Stockholm University, Appendix 2 (Ref. no. SU FV-1582-25).
The matrix is used to assess which security levels are required to protect information from the perspectives (security objectives) of availability, integrity, confidentiality, and traceability. To achieve cost-effectiveness and an adequate level of protection, physical security measures should be designed in accordance with the security levels given in the information classification matrix for the relevant information assets and IT systems.
If an information classification results in any of the security objectives being given a higher security level than two, a risk analysis must be performed to identify how the elevated security need can best be met. This analysis includes identifying risks, assessing their probability and impact, and proposing appropriate corrective measures. Once proposed measures have been outlined, a new assessment is performed to determine the final risk level. The results form the basis for prioritisation and decision on physical security measures, and for placing corresponding requirements on suppliers of IT services.
3. Introduction of physical security measures in accordance with performed risk analyses
Requirements for physical security in IT spaces must be adapted to the security level required for the information and the IT systems that will be located there.
If an information classification results in a security level of one or two for information or an IT system (basic protection) for all security objectives (confidentiality, integrity, availability, traceability), the minimum level for physical security will apply in the IT space.
However, if any part of the information classification or the IT system’s classification results in a security level of three or four (enhanced protection) for any of the security objectives, a risk analysis must be performed in accordance with the above instructions. The results of the risk analysis determine which physical security measures need to be introduced.
Rules concerning physical security measures linked to IT spaces can be found in the document Rules for physical security of IT spaces.
Supporting document in PDF format
Instructions for risk analyses linked to physical security in IT spaces pdf, 45.6 kB.