Elements and Performance Criteria
- Confirm risk decisions
- Confirm management decisions determining acceptable and unacceptable levels of risks.
- Note and monitor low level risks accepted by the organisation, to detect changed circumstances.
- Refer unacceptable high-level risks for development of formal management plans.
- Note for treatment all major or significant risks determined as unacceptable.
- Identify risk treatments
- Ensure treatments are consistent with the security plan, are cost effective and address levels and types of risk and the importance of the function or resource at risk.
- Select treatments to reduce the likelihood and/or consequences of the risk.
- Include continuity plans in treatments where appropriate.
- Document treatments and submit for approval.
- Implement countermeasures
- Monitor and review security risk management process
- Implement strategies to monitor risk environment.
- Evaluate risk treatments against the objectives of the security plan.
- Obtain feedback from stakeholders on the adequacy and need for current security measures affecting their work/area.
- Convey recommendations for re-examination of security risk or improved risk treatments to the appropriate personnel.
- Confirm risk decisions
- Confirm management decisions determining acceptable and unacceptable levels of risks.
- Note and monitor low level risks accepted by the organisation, to detect changed circumstances.
- Refer unacceptable high-level risks for development of formal management plans.
- Note for treatment all major or significant risks determined as unacceptable.
- Identify risk treatments
- Ensure treatments are consistent with the security plan, are cost effective and address levels and types of risk and the importance of the function or resource at risk.
- Select treatments to reduce the likelihood and/or consequences of the risk.
- Include continuity plans in treatments where appropriate.
- Document treatments and submit for approval.
- Implement countermeasures
- Monitor and review security risk management process
- Implement strategies to monitor risk environment.
- Evaluate risk treatments against the objectives of the security plan.
- Obtain feedback from stakeholders on the adequacy and need for current security measures affecting their work/area.
- Convey recommendations for re-examination of security risk or improved risk treatments to the appropriate personnel.