Communicating Risk Assessment Results

Once you’ve done your risk assessment, you’re not finished. It isn’t enough to just go through the activity. That risk assessment that you’ve just done is valuable data that needs to be communicated within the organization to the stakeholders that need to address the risks that you’ve identified. You must make sure that decision makers within your organization have access to risk. This is actually a primary control, both in NIST 800-39 and in the NIST cyber security framework. Internal communication is key. Once the stakeholders understand the risks they are facing, they can make good decisions about their processes moving forward. We can decide on controls ranging from administrative controls to technological ones to address the risks that are present. And we can apply funding and attention to those risks in the order of real threat to the organization. Risk assessment communication enables the entire company to support your results and to address them. What’s the best method for communicating risk? Well, that’s up to you and to your organization. But key to an auditor is to see that risk is communicated, understood, and acknowledged by the key stakeholders in the organization. 

Related Videos