Risk Assessment Policy

Every organization should create a security risk assessment policy.

A risk assessment policy defines:

  • When risk assessments should be performed and when they should be repeated.
  • Under what conditions or circumstances risk assessments should be performed.
  • Who should be involved in the risk assessment process.
  • Who is accountable.
  • Who participates in a risk assessment and what skills are required.
  • Expected deliverables from a risk assessment.
  • Risks that are accepted and defined.
  • The policy requires risks to be mitigated or transferred especially when they are critical.
  • Action plans related to risk assessment that should be created.
  • Define the scope and general method of risk assessments.
  • Indicate that the risk assessment process will be updated as required due to results of audits and incidents.