6.1.2 Information security risk assessment

Control details


For copyright reasons, this space does not contain citations from the Standard.


Write down the organization's method for risk analysis.


  1. How often/when is the risk analysis executed?
  2. Who will be performing the risk analysis?
  3. What metrics will be used?
  4. When is a risk required to be mitigated and when can it be accepted?
  5. Who will own the risk?
  6. Who can accept a risk?

Our risk assessment process is based on SPRINT and is defined here: Risk assessment and treatment process.

Check details


Is the risk assessment process still accurate? Are the risk levels in the identified risks according to the process?

Is the implementation still accurate? Consult with management if needed. Report any findings below in the comments, or upload proof as attachment to this page.

  File Modified
No files shared here yet.