Use your risk assessment
Update your organisation’s risk registers and schedule future reviews of your information’s risks and security controls.
Final step — risk assessment to risk management
By using your risk assessment with your organisation’s security and information technology departments, they’ll be able to help you:
- add the risks and security controls to their risk registers
- monitor and review those risks and security controls.
Immediate use — update your risk registers
Add the security controls for your information to your organisation’s risk registers. Make sure your security team has the finished and approved risk assessment — make special note of any high risks to the information.
This allows them to regularly monitor and review whether the risks or effectiveness of the controls have changed.
Risk assessment sign-offs are not complete certification and accreditation processes
See the New Zealand Information Security Manual (NZISM) for the complete certification and accreditation process.
Ongoing use — monitor and review the risks
Work with your security team to set up a regular schedule to monitor and review the risks and security controls for your information in the public cloud service.
When a public cloud service is not accepted
If you decide not to use a public cloud service, it’s still worth filing your risk assessment with the security and information technology teams. This way, others in your organisation:
- do not duplicate the work
- can reference it as a starting point in the future.