From exercises to operations¶

You’ve built a risk register and process. Now make it operational.

Integration points¶

With ISO 27001 implementation:

• Your risk register feeds control selection (Annex A)

• Risk assessment documentation satisfies Clause 6.1

• Risk treatment plans become your implementation roadmap

• Risk reviews inform management reviews

With NIS2 compliance:

• Critical assets identified map to Article 21 requirements

• Risk assessment supports “appropriate and proportionate” measures

• Treatment plans address mandatory security measures

• Register demonstrates systematic risk management

With incident response:

• Known risks have response plans ready

• Incidents trigger risk assessment updates

• Post-incident reviews feed back to risk register

• High-impact scenarios drive tabletop exercises

With business continuity:

• Asset dependencies inform continuity plans

• Impact assessments determine recovery priorities

• Treatment options include continuity controls

• Register identifies single points of failure

Maturity progression¶

Level 1: Reactive (You’re starting here)

• Risks identified after incidents

• Ad-hoc assessments

• Basic register

• Fire-fighting mode

Level 2: Structured (Next 3-6 months)

• Regular risk identification workshops

• Consistent assessment criteria

• Maintained risk register

• Planned treatment approach

Level 3: Integrated (6-12 months)

• Risk management embedded in processes

• Automated workflows and reporting

• Proactive risk identification

• Risk-informed decisions

Level 4: Predictive (12+ months)

• Threat intelligence feeds risk model

• Scenario planning and stress testing

• Forward-looking risk metrics

• Risk culture embedded

Don’t try to jump to Level 4. Build capability progressively.

Keeping it alive¶

Monthly:

• Review Critical risks

• Check treatment progress

• Update based on incidents or changes

Quarterly:

• Review High and Medium risks

• Report to executives

• Adjust treatment priorities

• Capture new risks

Annually:

• Full risk assessment refresh

• Validate likelihood/impact criteria

• Review process effectiveness

• Update appetite and thresholds

As needed:

• New system launches

• Major organisational changes

• Significant incidents

• Regulatory updates

Resources for going deeper¶

Frameworks:

• ISO 31000 (risk management principles)

• ISO 27005 (information security risk management)

• NIST SP 800-30 (risk assessment guide)

• FAIR (Factor Analysis of Information Risk)