Check the risk tolerance levels

After completing the risk analysis, the business owner needs to check the final risk ratings against their organisation’s approved risk tolerance levels.

Acceptable risks

Risks that are given a final rating between 1 and 3 generally do not require further evaluation.

In terms of prioritisation, they should be added to your organisation’s risk register for monitoring and assessment on a regular basis — risks are rarely static in nature. Your organisation should have a process for regularly checking to make sure that the likelihood and impact ratings have not changed.

Monitor and review risks to information systems

Risks that require prioritisation and evaluation

Risks that are given a final rating between 4 and 25 need to be prioritised and evaluated.

Prioritising risks

The higher a risk’s final rating, the higher its priority.

When 2 or more risks have the same final rating, the business owner should use the protection priorities they defined when establishing the business context for the information system. These will allow the business owner to determine which risk is the higher priority for evaluation.

Evaluating risks

Find out how the business owner evaluates each risk and signs off on the risk assessment report.

Evaluate the risks to an information system