Review and understand the context in which risks are to be analyzed. Identify both internal and external
context. Define the goal of the risk assessment. Identify standard criteria against which risks will be
assessed. Examine background documents, interview subject matter experts, etc.
Many different triggers may cause risks to be identified. Examples include:
-
Audits may identify security issues
-
Changes in security policy
-
Regulatory changes
-
Proposed or real changes in the IT or business environment
-
New project proposals
-
Identified security issue from audit or checking
Risk identification may also be a task that is performed on a periodic basis.
|