The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!
From the Wiki University
What evidence can you provide to prove your understanding of each of the following citeria?
Establish security risk context
|
|
Strategic and organisational contexts are confirmed in accordance with the organisation's security plan. Completed |
Evidence:
|
Stakeholders are identified and their expectations and input are gathered in accordance with legislation, policy and procedures. Completed |
Evidence:
|
Security risk criteria are identified from the security plan and confirmed as current and relevant. Completed |
Evidence:
|
Information and resources are obtained to conduct the risk analysis in accordance with organisational policy and procedures. Completed |
Evidence:
|
Identify security risk
|
|
Sources of security risk are identified and recorded in accordance with organisational policy and procedures. Completed |
Evidence:
|
Risks are identified using a specified methodology or tools in accordance with the security plan. Completed |
Evidence:
|
Sources of risk are identified from the perspective of all stakeholders. Completed |
Evidence:
|
Stakeholders are consulted during the risk identification process to finalise a list of risks. Completed |
Evidence:
|
Analyse security risk
|
|
Threat assessments, current exposure and current security arrangements are identified in accordance with the security plan to estimate the likelihood of each risk event occurring. Completed |
Evidence:
|
Potential consequences of each risk are determined in accordance with the security plan, including critical lead time for recovery. Completed |
Evidence:
|
Risk ratings are determined, documented and communicated in accordance with the security plan and organisational standards. Completed |
Evidence:
|
A rationale for each risk rating is included in accordance with organisational requirements. Completed |
Evidence:
|
Evaluate security risk
|
|
Risks are assessed against the organisation's security risk criteria. Completed |
Evidence:
|
Risks are prioritised for treatment in accordance with the security plan. Completed |
Evidence:
|
Risks are monitored in accordance with the security plan until treatment measures have been implemented. Completed |
Evidence:
|
Compile security risk register
|
|
A security risk register is developed that records identified risks, their nature and source. Completed |
Evidence:
|
The consequences and likelihood of risks, and the adequacy of existing controls are identified in the register. Completed |
Evidence:
|
Risk ratings are recorded for identified risks in accordance with organisational procedures. Completed |
Evidence:
|
The security risk register is compiled to meet organisational standards for content, format and presentation and reflects changes in circumstances. Completed |
Evidence:
|
Risk register is referred to management for decision on which risks will be accepted and which will require treatment. Completed |
Evidence:
|