Elements and Performance Criteria
- Establish security risk context
- The scope of the risk assessment and its strategic and organisational context are identified in accordance with organisational requirements.
- Legislation, policies, procedures and guidelines related to security risk management are identified and complied with.
- Stakeholders are identified and their expectations and input are obtained in accordance with organisational policy and procedures.
- Security risk criteria are identified in accordance with the organisation's security policy, jurisdictional policies and legislation.
- A risk assessment plan is developed in accordance with organisational priorities, and endorsement is obtained.
- Gather and analyse information
- Sources of information are identified and information is gathered in accordance with organisational policy and procedures.
- Internal information including historical information is reviewed.
- New information from internal/external sources is aggregated.
- Information is contextualised to the organisational context.
- Gaps in information are identified and addressed.
- Identify security risks
- Sources of threat to the organisation's resources and functions are identified, and threats/potential threats are determined in accordance with organisational policy and procedures.
- Threat assessment is conducted against organisational policies, procedures and guidelines.
- Access to, availability of and procedures relating to resources/areas are analysed to determine risk exposure.
- Risks are assessed using risk assessment techniques to suit the type and level of risk in accordance with organisational policy and procedures.
- Risk potential is determined and risks are documented in accordance with organisational requirements.
- Analyse security risks
- Potential consequences of risks/threats are analysed in light of potential damage to agency, including critical lead time for recovery.
- Analysis techniques are used in accordance with organisational policy and procedures.
- Intent, capability and opportunity for each risk/threat to occur are assessed.
- Using all known information, likelihood of risks/threats occurring is assessed.
- Current security countermeasures/treatment options are analysed to determine areas of vulnerability.
- Risk ratings are determined and documented in agreed format using all known information.
- Assess and prioritise security risks
- Stakeholders are consulted about acceptable/unacceptable risk levels.
- Acceptable/unacceptable levels of risk are documented.
- Identified risks are compared with security risk criteria to determine whether they are acceptable/unacceptable.
- Identified risks are prioritised in accordance with security criteria.
- Risks are documented in priority order in accordance with organisational policies, procedures and guidelines.
- Residual risks are determined and documented in accordance with organisational policies, procedures and guidelines.