Back to M2.4.1 - P1 - RISK MONITORING AND REVIEW
Monitoring and review should be a planned part of the information security risk management process and involve regular checking, surveillance and updates. The monitoring should be an ongoing process, which identifies any changes that are relevant to information security risk management, and there should also be planned processes that ensure that risk assessment and treatment updates are taking place.
Responsibilities for monitoring and review should be clearly defined. (Refer to NCRMF for further details)
The entity’s monitoring and review processes should encompass all aspects of the information security risk management process for the purposes of:
- A. Ensuring that controls are effective in the risk management they are achieving
- B. Integrating new information to improve the risk assessment and/or treatment
- C. Analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures;
- D. Detecting changes in the external and internal context, including changes to risk criteria and the risk itself, which can require revision of risk treatments and priorities
- E. Vulnerability Assessment should be conducted frequently even after implementing security controls to identify emerging risks, new threats, trends, etc.
Progress in implementing risk treatment plans provides a performance indicator in itself. The results can be incorporated into the entity’s overall performance management, measurement and external and internal reporting activities.
The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the information security risk management policy (refer to M2.1.1).
