From risk analysis to security measures
From threat to risk analysis
For a location it is determined which threats are realistic by looking at the processes that are carried out on location. For each threat it is determined how attractive the location is for a perpetrator or perpetrator group to achieve its objectives and what damage can be caused with this. A risk analysis per location is the result of this.
The desired situation defined
The outcome of the risk analysis makes clear what measures are needed to make and keep the risks manageable. These security measures are selected from the Program of Requirements and lead to the standardized security advice for that location that can of course always be deviated from if desired.
The existing measures are mapped and compared with the desirable situation as presented from the risk analysis. Insight is obtained into which risks are sufficiently covered, which additional measures are still needed and also where things can be done slightly less.
Make choices and justify them
Now choices can be made to accept the risks or to address them by implementing measures. The considerations to accept (residual) risks are recorded, so that it is clear to what extent the organization remains sensitive to the identified threats.
The complete recording takes place in the security plan. With the risk analysis as a starting point, it is described for each location which mix of measures is required, what has been achieved and what still needs to be done and when this must be done. Where the Program of Requirements has deviated, it is indicated why and how this was done. Possibly with an alternative based on equivalence or by accepting the risk. The security plan is periodically tested for timeliness and where there are changes in processes, risks and / or measures, these are processed in the plan.