The organization must ensure that the results of technical security tests are systematically documented, evaluated for criticality, and used to improve security controls, policies, and procedures. Residual risks arising from test findings must be formally assessed and accepted by the appropriate risk owners.
- Document the results of technical tests such as vulnerability scans, penetration tests, configuration reviews, and other security assessments.
- Assess and record the criticality of each finding, including its potential impact on confidentiality, integrity, authenticity, or availability.
- Define and implement corrective or compensating measures where findings indicate weaknesses or negative impact.
- Evaluate whether test outcomes require updates to security policies, procedures, or control effectiveness assessment methods.
- Document decisions taken, including justification where no corrective action or policy update is required.
- Identify and document any residual risks that remain after corrective measures.
- Ensure residual risks are formally accepted by designated risk owners and appropriately reported to relevant management bodies.
This process ensures that technical testing results are properly documented, risk-evaluated, escalated where necessary, and integrated into continuous improvement of the organization’s security governance.
.svg)
