Security Policy: Difference between revisions
Jump to navigation
Jump to search
| Line 96: | Line 96: | ||
The organization shall define and apply an information security risk assessment process that: | The organization shall define and apply an information security risk assessment process that: | ||
* Establishes and maintains information security risk criteria that include: | * Establishes and maintains information security risk criteria that include: | ||
(a) the risk acceptance criteria; and | (a) the risk acceptance criteria; and | ||
(b) criteria for performing information security risk assessments; | (b) criteria for performing information security risk assessments; | ||
* Ensures that repeated information security risk assessments produce consistent, valid and comparable results; | * Ensures that repeated information security risk assessments produce consistent, valid and comparable results; | ||
* Identifies the information security risks: | * Identifies the information security risks: | ||
(a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and | (a) apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system; and | ||
(b) identify the risk owners; | (b) identify the risk owners; | ||
* Analyses the information security risks: | * Analyses the information security risks: | ||