Below is the recommended cycle of events:
The above cycle works on a regular basis. Once per year or every two years should suffice. Some regulations say or imply that this should be yearly but the more common view, and one which an auditor would like to see, is that the risk exercise is done at least every two years or when there are major changes in perceived threats.
The steps are these:
Go through an exercise with stakeholders and, in particular, the functional departments to agree which areas of threat represent areas ...