As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.
The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.
If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.