Security Policy: Difference between revisions

Line 98:

# Establishes and maintains information security risk criteria that include:

:(a) the risk acceptance criteria; and

::(a) the risk acceptance criteria; and

:(b) criteria for performing information security risk assessments;

::(b) criteria for performing information security risk assessments;

# Ensures that repeated information security risk assessments produce consistent, valid and comparable results;

# Identifies the information security risks:

:(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and

::(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and

:(b) identify the risk owners;

::(b) identify the risk owners;

# Analyses the information security risks:

:(a) assess the potential consequences that would result if the risks identified were to materialize;

::(a) assess the potential consequences that would result if the risks identified were to materialize;

:(b) assess the realistic likelihood of the occurrence of the risks identified; and

::(b) assess the realistic likelihood of the occurrence of the risks identified; and

:(c)determine the levels of risk;

::(c)determine the levels of risk;

# Evaluates the information security risks:

:(a) compare the results of risk analysis with the risk criteria established; and

::(a) compare the results of risk analysis with the risk criteria established; and

:(b) prioritize the analysed risks for risk treatment.

::(b) prioritize the analysed risks for risk treatment.

The organization shall retain documented information about the information security risk assessment process.

@@ Line 98: / Line 98: @@
 # Establishes and maintains information security risk criteria that include:
-:(a) the risk acceptance criteria; and
+::(a) the risk acceptance criteria; and
-:(b) criteria for performing information security risk assessments;
+::(b) criteria for performing information security risk assessments;
 # Ensures that repeated information security risk assessments produce consistent, valid and comparable results;
 # Identifies the information security risks:
-:(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
+::(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and
-:(b) identify the risk owners;
+::(b) identify the risk owners;
 # Analyses the information security risks:
-:(a) assess the potential consequences that would result if the risks identified were to materialize;
+::(a) assess the potential consequences that would result if the risks identified were to materialize;
-:(b) assess the realistic likelihood of the occurrence of the risks identified; and
+::(b) assess the realistic likelihood of the occurrence of the risks identified; and
-:(c)determine the levels of risk;
+::(c)determine the levels of risk;
 # Evaluates the information security risks:
-:(a) compare the results of risk analysis with the risk criteria established; and
+::(a) compare the results of risk analysis with the risk criteria established; and
-:(b) prioritize the analysed risks for risk treatment.
+::(b) prioritize the analysed risks for risk treatment.
 The organization shall retain documented information about the information security risk assessment process.

Security Policy: Difference between revisions

Navigation menu

Search