10.Information Security Risk Monitoring And Review Flashcards
Information Security Risk Monitoring And Review
Input
All risk information obtained from the risk management activities
Action
Risks and their factors (i.e. value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.
Implementation guidance
Risks are not static. Threats, vulnerabilities, likelihood or consequences can change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. This can be supported by external services that provide information regarding new threats or vulnerabilities.
Organizations should ensure that the following are continually monitored:
— new assets that have been included in the risk management scope;
— necessary modification of asset values, e.g. due to changed business requirements;
Output
Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria.
Monitoring and review of risk factors
Input
All risk information obtained from the risk management activities.
Action
Risks and their factors (i.e. value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.
Implementation guidance
Risks are not static. Threats, vulnerabilities, likelihood or consequences can change abruptly without any indication. Therefore, constant monitoring is necessary to detect these changes. This can be supported by external services that provide information regarding new threats or vulnerabilities.
Organizations should ensure that the following are continually monitored:
— new assets that have been included in the risk management scope;
— necessary modification of asset values, e.g. due to changed business requirements;
— new threats that can be active both outside and inside the organization and that have not been assessed;
New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously assessed as low ones. Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact.
New threats, vulnerabilities or changes in likelihood or consequences can increase risks previously assessed as low ones.
Review of low and accepted risks should consider each risk separately, and all such risks as an aggregate as well, to assess their potential accumulated impact. If risks do not fall into the low or acceptable risk category, they should be treated using one or more of the options considered in risk treament.
The outcome of risk monitoring activities can be input to other risk review activities. The organization should review all risks regularly, and when major changes occur.
Output
Continual alignment of the management of risks with the organization’s business objectives, and with risk acceptance criteria.
Risk management monitoring, review and improvement
Input
All risk information obtained from the risk management activities
Action
The information security risk management process should be continually monitored, reviewed and improved as necessary and appropriate.
Implementation guidance
Ongoing monitoring and review is necessary to ensure that the context, the outcome of the risk assessment and risk treatment, as well as management plans, remain relevant and appropriate to the circumstances.
The organization should make sure that the information security risk management process and related activities remain appropriate in the present circumstances and are followed.
Any agreed improvements to the process or actions necessary to improve compliance with the process should be notified to the appropriate managers to have assurance that:
— no risk or risk element is overlooked or underestimated;
Output
Continual relevance of the information security risk management process to the organization’s business objectives or updating the process.