Implementing continuous risk management
Risks must be regularly reassessed to reflect changes in the capability, vulnerabilities, or emerging threats.
Security risk management should be part of the capability’s existing processes.
This will make sure reporting, processes, and language remain consistent.
Capabilities should have clear lines of communication between those who are responsible for delivering security, and those making risk management decisions. The Senior Responsible Owner (SRO), or suitable equivalent, remains accountable for all decisions.
Security risk management should be part of the capability’s existing processes.
This will make sure reporting, processes, and language remain consistent.
Capabilities should have clear lines of communication between those who are responsible for delivering security, and those making risk management decisions. The Senior Responsible Owner (SRO), or suitable equivalent, remains accountable for all decisions.
Benefits
Benefits of continuous risk management include:
- making sure security measures remain effective
- keeping capabilities ahead of threats
Outcomes
Outcomes of continuous risk management involve updating:
- risk registers
- risk tooling
- control selection
Responsibility
Who is responsible for continuous risk management:
- delivery team lead
- project management office (PMO)
- delivery team security lead
When to implement continuous risk management
This should take place at all stages of the capability’s lifecycle.