Security Risk Assessment

The organization should, on a regular basis, perform a security risk assessment. The security risk assessment should:

  1. Be performed at agreed intervals not to exceed one year.
  2. Maintain records detailing the risk assessment, its outcome and follow-up actions as described in 20.7.4 Risk Management.
  3. Take into account regulatory and industry regulations and standards (e.g. ISO 31000) as well as SLA – Service Level Agreement commitments.

The organization should consider performing, at random, an un-announced security risk assessment and/or internal audit to detect potential security lapses during normal operations.

The outcome should result in a report indicating the threats and vulnerabilities the organization and its (customer) assets may be exposed to; this including the risk analysis, the risk evaluation and recommendation for risk treatment for identified risks which exceed the level of risk acceptance.

Where feasible, the organization should have a summary which is available on a need-to-know basis for customers and stakeholders.