Analyses/ISMS Quick CheckUpdated: August 16, 2025·1 minRiskWhat changes would prompt you to revise your risk analysis?We review our risk analysis every quarter and whenever there are significant changes to processes, assets, or the threat situation.We update the risk analysis at least once a year, or whenever there are major organizational changes.We update at irregular intervals, typically after completing a significant project or addressing a major incident.We rarely update the risk analysis after initial preparation.Who in your company decides whether a risk is acceptable?The risk committee comprises subject-matter experts, IT staff, compliance officers and managers. It meets regularly to make documented decisions.The management or the CISO will make a decision based on the information that has already been prepared.Project managers usually make this decision themselves. Line managers only approve it in exceptional circumstances.There is no defined decision-making process. Risks are tacitly accepted.Do you document accepted risks in a formal risk treatment plan?Yes, the risk treatment plan includes details of all accepted risks, including the reasons for accepting them and the date of the next review.Accepted risks are documented, but the plan is only updated if necessary.We only partially document accepted risks, typically in project documents.Accepted risks are not documented separately.0PreviousNext