The organization should, on a regular basis, perform a security risk assessment. The security risk assessment should:
- Be performed at agreed intervals not to exceed one year.
- Maintain records detailing the risk assessment, its outcome and follow-up actions as described in 20.7.4 Risk Management.
- Take into account regulatory and industry regulations and standards (e.g. ISO 31000) as well as SLA – Service Level Agreement commitments.
The organization should consider performing, at random, an un-announced security risk assessment and/or internal audit to detect potential security lapses during normal operations.
The outcome should result in a report indicating the threats and vulnerabilities the organization and its (customer) assets may be exposed to; this including the risk analysis, the risk evaluation and recommendation for risk treatment for identified risks which exceed the level of risk acceptance.
Where feasible, the organization should have a summary which is available on a need-to-know basis for customers and stakeholders.
