01
Qualify the context
Identify critical assets, feared events, dependencies, exposure and operating constraints.
Risques
Qualify risks by business impact, then arbitrate actions without losing operational reality.
01
Identify critical assets, feared events, dependencies, exposure and operating constraints.
02
Describe threat sources, attack paths, likelihood, impacts and existing measures.
03
Produce a treatment backlog, risk decisions, expected evidence and tracking indicators.
Deliverables
risk scenarios
risk register
KPI/KRI
treatment plan