Elements and Performance Criteria
- Establish security risk context
- Strategic and organisational contexts are confirmed in accordance with the organisation's security plan.
- Stakeholders are identified and their expectations and input are gathered in accordance with legislation, policy and procedures.
- Security risk criteria are identified from the security plan and confirmed as current and relevant.
- Information and resources are obtained to conduct the risk analysis in accordance with organisational policy and procedures.
- Identify security risk
- Sources of security risk are identified and recorded in accordance with organisational policy and procedures.
- Risks are identified using a specified methodology or tools in accordance with the security plan.
- Sources of risk are identified from the perspective of all stakeholders.
- Stakeholders are consulted during the risk identification process to finalise a list of risks.
- Analyse security risk
- Threat assessments, current exposure and current security arrangements are identified in accordance with the security plan to estimate the likelihood of each risk event occurring.
- Potential consequences of each risk are determined in accordance with the security plan, including critical lead time for recovery.
- Risk ratings are determined, documented and communicated in accordance with the security plan and organisational standards.
- A rationale for each risk rating is included in accordance with organisational requirements.
- Evaluate security risk
- Compile security risk register
- A security risk register is developed that records identified risks, their nature and source.
- The consequences and likelihood of risks, and the adequacy of existing controls are identified in the register.
- Risk ratings are recorded for identified risks in accordance with organisational procedures.
- The security risk register is compiled to meet organisational standards for content, format and presentation and reflects changes in circumstances.
- Risk register is referred to management for decision on which risks will be accepted and which will require treatment.