Risk Assessment Policy
Every organization should create a security risk assessment policy.
A risk assessment policy defines:
When risk assessments should be performed and when they should be repeated.
Under what conditions or circumstances risk assessments should be performed.
Who should be involved in the risk assessment process.
Who is accountable.
Who participates in a risk assessment and what skills are required.
Expected deliverables from a risk assessment.
Risks that are accepted and defined.
The policy requires risks to be mitigated or transferred especially when they are critical.
Action plans related to risk assessment that should be created.
Define the scope and general method of risk assessments.
Indicate that the risk assessment process will be updated as required due to results of audits and incidents.