Back to M2.2.3 - P1 - INFORMATION SECURITY RISK EVALUATION ANALYSIS
There is a lot of information related to the performance of information security risk assessments, and more details will be provided in a separate risk management document, therefore, this implementation guidance will just provide an overview of the most important concepts.
Once the risks have been calculated (see M2.2.2. - P1 - INFORMATION SECURITY RISK ANALYSIS above), the entity should compare the risk levels assessed with the risk criteria that have been established documented in the Information Security Risk Management Policy (see M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY above). This will rank the risks in order of severity and will identify those that are acceptable (because they are below the general threshold of acceptance), and those risks that will require treatment.
If necessary, the entity can assign additional priorities to the risks, e.g. if a risk – despite of not being high- relates to a very vital business process. Any such assignment is entirely up to the entity, any decisions made should be reasoned and documented.
Decisions on risks should take account of the wider context of the risk and include consideration of the requirements of other parties, such as sector, regional or national initiatives. In some circumstances, the risk evaluation can lead to a decision to undertake further analysis
