Next step — use the risk assessment report
The business owner makes sure the controls recommended in the risk assessment report are implemented.
Implement the controls from the report
Putting into action the recommended controls depends on whether the risk assessment is for an information system that is in current production or new.
Information systems in current production
Develop a risk management plan using the risk assessment report.
For a government organisation, the risk management plan can be based on either:
- its risk register — set up to monitor and review risks
- an Agile approach
- a formal programme of work.
Formal programme of work
If the risks need to be managed as a formal programme of work, the risk management plan needs to:
- follow your organisation’s methodology for project management
- be approved at the right level of governance.
New information systems
Use the risk assessment report to add the controls required to manage the risks to the information system's:
- architecture and design
- Request for Proposal, if there is one
- contractual terms — especially for public cloud services.
Ongoing risk management of information systems
See how the risk assessments for information systems are part of government organisations’ ongoing frameworks for risk management.
Monitor and review risks to information systems
Utility links and page information