Risk reviews
Capabilities must make sure cyber risk assessments are carried out, documented in a risk register, and regularly reviewed.
JSP 440 Leaflet 5C mandates the minimum frequency of reviews must be appropriate to the risks identified, but must be at least quarterly.
Risks should also be reviewed immediately after any significant changes, when new threats emerge, or in response to any best practice changes.
Risk reviews make sure risk is managed throughout the capability’s life cycle, identifying new or unexpected risks introduced by changes.
JSP 440 Leaflet 5C mandates the minimum frequency of reviews must be appropriate to the risks identified, but must be at least quarterly.
Risks should also be reviewed immediately after any significant changes, when new threats emerge, or in response to any best practice changes.
Risk reviews make sure risk is managed throughout the capability’s life cycle, identifying new or unexpected risks introduced by changes.
Benefits
Benefits of risk reviews include:
- early detection of emerging risks
- timely updates on how risks are handled
- improved decision making
- improved financial planning
- making sure capabilities remain within their defined risk appetite
Outcomes
Outcomes of risk reviews include:
- records of discussions from risk reviews
- updates to risk registers
- updates made in risk tooling
Responsibility
Who is responsible for reviewing risks:
- delivery team lead
- project management office (PMO)
- delivery team security lead
When to conduct a risk review
Risk should be reviewed:
- at least every 3 months, as instructed in JSP 440 Leaflet 5C
- in response to system design or any threat changes