...
Description of process
Risk treatment plan
- A description of the risk to be reduced and controls to implement .
- Rational for the choice of controls and expected effects
- Responsible for approving the plan
- Responsible for implementing the comtrols
- Activities related to implementation
- Target and performance criteria and delimitations in relation to the comtrols
- Reporting and monitoring requirements
- Plan and timeframes
Risk areas
The organization's ownership of ICT
Information security policy and guidelines
Organization of information security
Resources
Expertise, skills and safety culture
Employee safety
Architecture
Work processes
Roles and responsibilities
Establishment and maintenance of portfolio
Innovation
Decision-making by ICT investments
Acquisition, development and maintenance of ICT systems / services
Quality assurance
Supplier relations
...