9.3. Create Risk Evaluation Criteria

During this activity you define your organization's tolerance for risk by creating evaluation criteria. These criteria are measures against which you evaluate the types of impact you described during the previous activity. An organization must explicitly prioritize known risks, because it cannot mitigate all of them. Funding, staff, and schedule constraints limit how many and to what extent risks can be addressed. This activity provides decision makers with additional information that they can use when establishing mitigation priorities.

Step 1: Review Information

You need to review relevant background information to help you define evaluation criteria. Such information includes the following:

  • Strategic and/or ...

Get Managing Information Security Risks: The OCTAVESM Approach now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.