Risk Register

Execution

This component forms the actual risk analysis. The risk analysis process supervisor uses at least the following steps.

  • Determine which threats could pose a danger to the reliability requirements of the information within the scope.
  • Determine for each threat, if applicable, which actor could possibly be behind it. Let the threat posed by the actor partly determine the level of the chance. The threat posed by an actor is determined by the knowledge that the actor possesses, the resources that the actor can have at his disposal and the motivation of the actor to carry out a (targeted) attack.
  • Determine for each threat which information (system) it relates to.
  • Determine for each threat possible causes and possible consequences.
  • Determine for each threat the level of the chance (looking at the causes and the actor) and the impact (looking at the consequences). Take into account the existing security measures. The resulting risk is primarily decisive for the prioritization of the mitigating measures. Motivate the choices made.
  • Determine how to act for each threat (the risk assessment): accept, reduce the probability, reduce the impact, reduce the probability and impact, transfer the risk or eliminate the risk. This choice is preferably made by the risk owner. If the risk owner is not present, the choice is made by those present and later submitted to the risk owner for approval. Motivate the choice made.
    It may happen that during an analysis session it cannot yet be decided how to act, because additional information is required that cannot be obtained during the analysis session. Make agreements about who and how this information is obtained and when the choice for how to act will still be made.
  • If it is decided to accept a risk while it falls outside the risk appetite, ensure official acceptance by the designated manager or director.
  • If a risk is not accepted, determine in broad terms which measures are needed per threat to control the risk.

It is also possible and even desirable to determine risks outside an analysis session. Encourage colleagues, especially those who work on a project, to report risks to the owner of the item to which the risk relates. This can also be done via a project leader. It is up to the information owner to then handle and register the risk.

Back
Risk Register v1.4Source code
Are you sure?HelpIdentifier