Elements and Performance Criteria
- Evaluate security risks.
- Security risks are identified and consequences interpreted in accordance with client, organisational and legislative requirements and relevant standards.
- Acceptable and unacceptable risks are clearly distinguished and confirmed.
- High priority risks are emphasised and specified to ensure the development of appropriate controls.
- Existing controls are evaluated to determine impact on risk occurrence and required modifications identified.
- Develop action plans.
- Action plans are developed identifying key tasks, activities and resources to achieve security risk management objectives.
- Type of risk associated with security context is identified and appropriate controls incorporated into planning processes.
- Communication and reporting arrangements for maintaining currency of action plans are established.
- Contingency arrangements for actions are developed and incorporated into plans.
- Design treatment options.
- Operating environment monitored to confirm potential and real risks, threats and required treatments.
- Treatment options are selected in line with available organisational practices, and implications researched, clarified and approved by relevant persons.
- Feasible treatment options are documented and costed to ensure compatibility with nature of risk and client requirements.
- Treatment options are linked to whole or part of security risks and verified with clients for suitability to security context.
- Tests on treatment options are conducted to determine applicability in the field, and results statistically analysed to confirm effectiveness of treatments.
- Develop security risk management plan.
- Management requirements are identified and accounted for in development of security risk management plan.
- Procedures for monitoring and review of security risk management activities are developed to ensure continuous improvement.
- Security risk management plan is developed incorporating all relevant information in line with appropriate format and relevant standards.
- Plan is finalised and presented to client for review and approval in accordance with organisational procedures.