Security Policy: Difference between revisions

Line 91:

The organization shall define and apply an information security risk assessment process that:

#~~establishes~~ and maintains information security risk criteria that include:

#Establishes and maintains information security risk criteria that include: (a) the risk acceptance criteria; and (b) criteria for performing information security risk assessments;

#Ensures that repeated information security risk assessments produce consistent, valid and comparable results;

*the risk acceptance criteria; and

#Identifies the information security risks: (a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and (b) identify the risk owners;

#Analyses the information security risks: (a) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; (b) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and (c)determine the levels of risk;

*criteria for performing information security risk assessments;

#Evaluates the information security risks: (a) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and (b) prioritize the analysed risks for risk treatment.

#~~ensures~~ that repeated information security risk assessments produce consistent, valid and

comparable results;

#~~identifies~~ the information security risks:

*apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information

security management system; and

*identify the risk owners;

#~~analyses~~ the information security risks:

*assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;

*assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and

*determine the levels of risk;

#~~evaluates~~ the information security risks:

*compare the results of risk analysis with the risk criteria established in 6.1.2 a); and

*prioritize the analysed risks for risk treatment.

The organization shall retain documented information about the information security risk assessment process.

@@ Line 91: / Line 91: @@
 The organization shall define and apply an information security risk assessment process that:
-#establishes and maintains information security risk criteria that include:
+#Establishes and maintains information security risk criteria that include: (a) the risk acceptance criteria; and (b) criteria for performing information security risk assessments;
+#Ensures that repeated information security risk assessments produce consistent, valid and comparable results;
-*the risk acceptance criteria; and
+#Identifies the information security risks: (a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and (b) identify the risk owners;
+#Analyses the information security risks: (a) assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize; (b) assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and (c)determine the levels of risk;
-*criteria for performing information security risk assessments;
+#Evaluates the information security risks: (a) compare the results of risk analysis with the risk criteria established in 6.1.2 a); and (b) prioritize the analysed risks for risk treatment.
-#ensures that repeated information security risk assessments produce consistent, valid and
-comparable results;
-#identifies the information security risks:
-*apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information
-security management system; and
-*identify the risk owners;
-#analyses the information security risks:
-*assess the potential consequences that would result if the risks identified in 6.1.2 c) 1) were to materialize;
-*assess the realistic likelihood of the occurrence of the risks identified in 6.1.2 c) 1); and
-*determine the levels of risk;
-#evaluates the information security risks:
-*compare the results of risk analysis with the risk criteria established in 6.1.2 a); and
-*prioritize the analysed risks for risk treatment.
 The organization shall retain documented information about the information security risk assessment process.

Security Policy: Difference between revisions

Navigation menu

Search