5.Risk Evaluation Flashcards
Risk Evaluation
Input
A list of risks with value levels assigned and risk evaluation criteria.
Action
Level of risks should be compared against risk evaluation criteria and risk acceptance criteria.
Implementation guidance
To evaluate risks, organizations should compare the estimated risks (using selected methods or approaches with the risk evaluation criteria defined during the context establishment. Risk evaluation criteria used to make decisions should be consistent with the defined external and internal information security risk management context and take into account the objectives of the organization and stakeholder views, etc.
Decisions as taken in the risk evaluation activity are mainly based on the acceptable level of risk. However, consequences, likelihood, and the degree of confidence in the risk identification and analysis should be considered as well.
Output
A list of risks prioritized according to risk evaluation criteria in relation to the incident scenarios that lead to those risks.