The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
- Risk identification methods
- Methods for risk analysis
- Criteria for risk evaluation (impact and likelihood)
- Risk priorisation, treatment options and defining control tasks
- Risk acceptance criteria
- Process implementation cycle, resourcing and responsibilities
The task owner regularly checks that the procedure is clear and produces consistent results.