Risk assessments are done pr product or System.
Purpose | Information security and privacy is risk based and must be documented. Risk assessment is a very useful tool to structure and document what we think. Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. For most purposes, a risk assessment on a qualitative scale is adequate. Primarily Risk Assessment gives a priority for actions to be implemented. |
Responsibility | Product Owners, System Owners and Project leaders shall perform risk assessments at least yearly to improve security in product, system or development, and document the risks and decisions taken. Document also risk in the daily work. Product Owner is responsible for implementing risk handling activities (actions) through the appropriate channels. |
Documentation | We use our template for risk assessments. |
Security | Risk Assessment must be protected, as they may conceal critical control weaknesses. |