Elements and Performance Criteria
- Confirm risk decisions
- Management decisions determining acceptable and unacceptable risks are confirmed in accordance with organisational policy and procedures.
- Low-level risks that the organisation decides to accept are noted and monitored to detect changed circumstances .
- Unacceptable high-level risks are referred for the development of formal management plans.
- Major or significant risks identified as unacceptable are noted for treatment.
- Identify risk treatments
- Treatments are determined that are consistent with organisational policies, procedures and guidelines and the organisation's security plan.
- Treatments are determined that are cost-effective and match the level and type of risk and the importance of the function or resource.
- Treatments are selected to reduce the likelihood of occurrence or the consequences of the risk, or both.
- Continuity plans are included in treatments, where appropriate, in accordance with the security plan.
- Treatments are documented and submitted for approval in accordance with organisational policy and procedures.
- Implement countermeasures
- A treatment plan is developed and implemented in accordance with organisational policy and procedures.
- Implementation of countermeasures is undertaken in accordance with the implementation strategy detailed in the security plan.
- Countermeasures are implemented in accordance with timeframe and budgetary requirements.
- Countermeasures are implemented in accordance with legal requirements, government and organisational policy.
- Monitor and review security risk management process
- Strategies to monitor risk environment are implemented.
- Monitoring is conducted on a regular basis in accordance with organisational policy and procedures.
- Risk treatments are evaluated against the objectives of the security plan to ensure these remain effective and/or necessary.
- Feedback is obtained from stakeholders on the adequacy and need for current security measures affecting their work/area.
- Recommendations for re-examination of security risk or improved risk treatments are conveyed to the appropriate personnel in accordance with organisational policy and procedures.