ABSTRACT

Both the security risk assessment and security risk treatment processes should be documented to capture the analysis, findings, and resulting actions, and they should also provide a basis for review, priority setting, decision making, and performance measurement. The security plan should demonstrate the relationship between the selected security controls in the plan and the results of the security risk assessment and security risk treatment processes. While the extent and format of a security plan will differ from one organization to another given each one’s size, complexity, operations, and internal management practices, each organization should maintain evidence of undertaking a security risk assessment and ensure that the more common elements of a security plan are adhered to. Each plan must contain at a minimum the following elements: approvals, executive summary, communications and consultations, context, security risk assessment, security risk treatment, and implementation.