Monitor and review risks to information systems
By regularly checking on the risks to information systems, you’ll see if their risk ratings have changed or if their controls are no longer effective.
Monitor the risks — maintain a risk register
Very few risks remain static — a risk that is currently within the business owner and organisation’s risk tolerance may not stay that way.
Maintaining a risk register allows business owners in an organisation to monitor the:
- risks to information systems
- controls in place for each risk.
Review the risks
Having a routine for reviewing risks is essential to making sure risk ratings have not changed.
By regularly reviewing the risks to your organisation’s information systems, you’ll be able to see if factors have changed that affect each:
- risk happening — the likelihood or impact, or both
- control — for example, its suitability or cost.
Next step — use the results
Your organisation’s risk management process should allow you to act on the results from monitoring and reviewing risks.
If there are any changes to risk ratings and controls, seek out the right stakeholders for:
- selecting suitable controls
- making sure final risk ratings are within the business owner and organisation’s risk tolerance.
You can use the relevant parts of the risk assessment process to help, such as: