IVI Framework Viewer

Security Risk Prioritization

C3

Prioritize information security risks and risk handling strategies based on residual risks and the organization’s risk appetite.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Security Risk Prioritization at each level of maturity.

1Initial
  • Practice
    Rely on the best endeavours of staff.
    Outcome
    The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
    Metric
    # Customer in/consistency complaints/accalaids.
2Basic
  • Practice
    Establish a managed prioritization process within the IT function and conduct security risk prioritization as needed.
    Outcome
    A prioritization process exists in IT. Some basic risk prioritization takes place, typically based on the estimated risk impact/probability/time horizon. Impact considers the ability to meet business objectives.
    Metric
    % Identified risks that are prioritized with supporting evidence.
3Intermediate
  • Practice
    Base risk prioritization decisions in IT and some business functions on an evaluation of risk impact/probability of occurrence/time horizon etc.
    Outcome
    Security risk prioritization in IT and in some business functions becomes more proactive and no longer treats only major perceived pain-points.
    Metric
    % Identified risks that are prioritized
4Advanced
  • Practice
    Integrate the security risk prioritization process across the organization and assess risk impact and probability of occurrence in line with the organization's operating model and risk appetite.
    Outcome
    A stable approach to risk assessment and prioritization is taken organization-wide.
    Metric
    % Identified risks that are prioritized
5Optimized
  • Practice
    Continually review and optimize the risk prioritization process through capturing feedback on the accuracy of security risk estimates over time.
    Outcome
    The prioritization process meets the current and future needs of the organization. Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
    Metric
    % Identified risks that are prioritized Ratio of actual risk prioritization process reviews to required reviews (set out in the policy) Accuracy of estimates