Elements and Performance Criteria
- Establish security risk context
- Identify the scope and strategic and organisational contexts of the risk assessment.
- Identify and comply with legislation, policies, procedures and guidelines related to security risk management.
- Identify stakeholders and their expectations and obtain their input.
- Identify security risk criteria.
- Develop and obtain endorsement for a risk assessment plan according to organisational priorities.
- Gather and analyse information
- Identify security risks
- Determine sources of threat to the organisation’s resources and functions.
- Conduct threat assessment against organisational policies, procedures and guidelines and determine risk exposure.
- Use risk assessment techniques which suit the type and level of risk.
- Determine and document risk potential.
- Analyse security risks
- Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.
- Assess intent, capability and opportunity for each risk or threat to occur, using all available information.
- Analyse current security countermeasures and treatment options to determine areas of vulnerability.
- Determine and document risk ratings in agreed format.
- Assess and prioritise security risks
- Consult stakeholders regarding acceptable and unacceptable risk levels.
- Document acceptable and unacceptable levels of risk.
- Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.
- Prioritise and document identified risks in accordance with security criteria.
- Document determined residual risks.
- Establish security risk context
- Identify the scope and strategic and organisational contexts of the risk assessment.
- Identify and comply with legislation, policies, procedures and guidelines related to security risk management.
- Identify stakeholders and their expectations and obtain their input.
- Identify security risk criteria.
- Develop and obtain endorsement for a risk assessment plan according to organisational priorities.
- Gather and analyse information
- Identify security risks
- Analyse security risks
- Analyse potential consequences of risks or threats in light of potential damage to agency, including critical lead time for recovery.
- Assess intent, capability and opportunity for each risk or threat to occur, using all available information.
- Analyse current security countermeasures and treatment options to determine areas of vulnerability.
- Determine and document risk ratings in agreed format.
- Assess and prioritise security risks
- Consult stakeholders regarding acceptable and unacceptable risk levels.
- Document acceptable and unacceptable levels of risk.
- Compare identified risks with security risk criteria to determine whether they are acceptable or unacceptable.
- Prioritise and document identified risks in accordance with security criteria.
- Document determined residual risks.