Non-risk related reasons for undertake work
Assign topic to the user
Answer:
In a general manner, security related actions can be driven by these reasons:
- the existence of unacceptable risks (as you already mentioned)
- the existence of legal requirements (e.g., contracts, laws and regulations), demanding a security action
- a top management decision, based on a business need or on a market best practice
The last two bullets do not have to be initially related to risks (but at some point you can identify some), neither do ISO auditors will require every action to be related to risks.
Comment as guest or Sign in
May 24, 2019