Security Risk Prioritization
Prioritize information security risks and risk handling strategies based on residual risks and the organization’s risk appetite.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Risk Prioritization at each level of maturity.
- 1Initial
- Practice
- Rely on the best endeavours of staff.
- Outcome
- The organization may behave on an ad hoc basis because staff may respond differently due to no documented processes or procedures and their differing levels of experience and traininig backgrounds.
- Metric
- # Customer in/consistency complaints/accalaids.
- 2Basic
- Practice
- Establish a managed prioritization process within the IT function and conduct security risk prioritization as needed.
- Outcome
- A prioritization process exists in IT. Some basic risk prioritization takes place, typically based on the estimated risk impact/probability/time horizon. Impact considers the ability to meet business objectives.
- Metric
- % Identified risks that are prioritized with supporting evidence.
- 3Intermediate
- Practice
- Base risk prioritization decisions in IT and some business functions on an evaluation of risk impact/probability of occurrence/time horizon etc.
- Outcome
- Security risk prioritization in IT and in some business functions becomes more proactive and no longer treats only major perceived pain-points.
- Metric
- % Identified risks that are prioritized
- 4Advanced
- Practice
- Integrate the security risk prioritization process across the organization and assess risk impact and probability of occurrence in line with the organization's operating model and risk appetite.
- Outcome
- A stable approach to risk assessment and prioritization is taken organization-wide.
- Metric
- % Identified risks that are prioritized
- 5Optimized
- Practice
- Continually review and optimize the risk prioritization process through capturing feedback on the accuracy of security risk estimates over time.
- Outcome
- The prioritization process meets the current and future needs of the organization. Its effectiveness, efficiency, and accuracy of estimates are regularly assessed.
- Metric
- % Identified risks that are prioritized Ratio of actual risk prioritization process reviews to required reviews (set out in the policy) Accuracy of estimates