Back

Include language that is easy to understand in the risk assessment report.


CONTROL ID
06461
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Information risk assessment methodologies should be easy to understand by non-security specialists (e.g., business representatives). (SR.01.02.02f, The Standard of Good Practice for Information Security)
  • Information risk assessments should ensure that their results (including risk treatment options and any identified residual risk) are presented in a format that is clear and understandable to the business (i.e., written in business language). (SR.01.02.08d, The Standard of Good Practice for Information Security)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as style of report expected. (SI.02.02.04a, The Standard of Good Practice for Information Security)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as method of presentation (e.g., detailed report, balanced scorecard, cockpit / dashboard, or diagrams using colour (red / amber / green) coding). (SI.02.02.04c, The Standard of Good Practice for Information Security)
  • Information risk reports should use business language that is consistent with other risk reports. (SI.02.02.07b, The Standard of Good Practice for Information Security)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as style of report expected. (SI.02.02.04a, The Standard of Good Practice for Information Security, 2013)
  • Information risk reporting mechanisms should be developed, which are relevant to each audience, and take into account requirements, such as method of presentation (e.g., detailed report, balanced scorecard, cockpit / dashboard, or diagrams using colour (red / amber / green) coding). (SI.02.02.04c, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should use business language that is consistent with other risk reports. (SI.02.02.07b, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessment methodologies should be easy to understand by non-security specialists (e.g., business representatives). (SR.01.02.02g, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should ensure that their results (including risk treatment options and any identified residual risk) are presented in a format that is clear and understandable to the business (i.e., written in business language). (SR.01.02.11d, The Standard of Good Practice for Information Security, 2013)