Skip to main content

Next step — use the risk assessment report

The business owner makes sure the controls recommended in the risk assessment report are implemented.

Implement the controls from the report

Putting into action the recommended controls depends on whether the risk assessment is for an information system that is in current production or new.

Information systems in current production

Develop a risk management plan using the risk assessment report.

For a government organisation, the risk management plan can be based on either:

Formal programme of work

If the risks need to be managed as a formal programme of work, the risk management plan needs to:

  • follow your organisation’s methodology for project management
  • be approved at the right level of governance.

New information systems

Use the risk assessment report to add the controls required to manage the risks to the information system's:

  • architecture and design
  • Request for Proposal, if there is one
  • contractual terms — especially for public cloud services.

Ongoing risk management of information systems

See how the risk assessments for information systems are part of government organisations’ ongoing frameworks for risk management.

Monitor and review risks to information systems

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated