Prioritise the risks to an information system
Find out which risks need to be evaluated and in which order of priority.
Check the risk tolerance levels
After completing the risk analysis, the business owner needs to check the final risk ratings against their organisation’s approved risk tolerance levels.
Risks that are given a final rating between 1 and 3 generally do not require further evaluation.
In terms of prioritisation, they should be added to your organisation’s risk register for monitoring and assessment on a regular basis — risks are rarely static in nature. Your organisation should have a process for regularly checking to make sure that the likelihood and impact ratings have not changed.
Risks that require prioritisation and evaluation
Risks that are given a final rating between 4 and 25 need to be prioritised and evaluated.
The higher a risk’s final rating, the higher its priority.
When 2 or more risks have the same final rating, the business owner should use the protection priorities they defined when establishing the business context for the information system. These will allow the business owner to determine which risk is the higher priority for evaluation.
Find out how the business owner evaluates each risk and signs off on the risk assessment report.