Elements and Performance Criteria
- Evaluate and prioritise risks
- Consequences of identified risks are understood and considered against possible likelihood of occurrence
- Acceptable and unacceptable risks are clearly distinguished and confirmed in accordance with organisational requirements
- High priority risks are emphasised and specified to ensure the development of appropriate management requirements
- Existing controls are evaluated to determine impact on risk occurrence and modifications and improvements are identified in accordance with organisational requirements
- Develop action plans
- Action plans are structured, formatted and identify key tasks and functions associated with security risk management
- Type of risk associated with security context is identifiable through available examples and incorporated into planning processes
- Communication and reporting arrangements for maintenance of plans are established in line with client requirements and organisational needs
- Contingency arrangements for occurrence of risks are developed and incorporated into plans
- Identify management requirements
- Timelines and objectives specified in security risk plans are assessed against organisational processes and requirements
- Documentation and checklists associated with plan are prepared in established formats to ensure focus on key activities in risk management
- Project planning requirements are identified and reviewed to determine availability of suitable resources and expertise
- Feedback and monitoring arrangements for operational staff are prepared and established using appropriate procedures
- Design treatment options
- Operating environment, including potential changes, is researched, confirmed, reviewed and linked to potential and real risks, threats and treatment strategies
- Treatment options are selected in line with available industry practices, and implications of treatment options are researched, clarified and approved by the client
- Treatment options are feasible, documented and costed to ensure compatibility with nature of risk and client requirements, including future goals and potential changes to the operating environment
- Treatment options are linked to whole or part of security risks and are verified with clients for suitability to security context, this is documented, and the required resources are identified and allocated
- Tests are conducted on treatment options to determine applicability in field, and the results are statistically analysed if possible
- Develop risk management plan
- Monitoring and review procedures are developed to ensure continuous improvement according to planning, client and organisational requirements
- All relevant information is collated and documented according to assessment, client and organisational requirements
- Plan is prepared and presented to client or authorised representatives for review and approval in accordance with organisational requirements