Reasons

To be able to manage risks, they must first be made transparent. Risks are made transparent by means of a risk analysis. There are various reasons to start a risk analysis or to revise an already performed one. Information owners can use the reasons below.

• When introducing a new process or method for processing information. This requires a completely new risk analysis, in which all steps from the next chapter must be completed. It is the responsibility of the information owner to initiate the risk analysis.
• In the event of a significant change in an existing process, method or infrastructure. Depending on the size of the change, a new risk analysis will have to be performed or an existing one can be updated.
• A change in risk acceptance or relevant legislation can lead to stricter security requirements. Previously made decisions in risk analyses will have to be reconsidered.
• An increase in the classification of the information involved can be a reason to examine whether measures need to be tightened or additional measures are needed for risk analyses that have been performed.
• An incident can be a reason to assess whether the previously made assessments of the risk analyses that have been performed are correct or need to be adjusted.
• The expiry of the validity period of a performed risk analysis. The previously performed risk analysis must be updated.
• In the event of a possible change in the threat landscape. It is the responsibility of the CISO to inform risk owners about this. Consider technical reasons such as the disclosure of vulnerabilities or new attack techniques, technological developments, but also changes in the relationship between countries or social developments and events that could lead to digital attacks.
• Prior to purchasing an ICT service or ICT product from a supplier, where the dependency on that supplier will be examined in particular.