Description
The organization updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.\n
Supplemental Guidance
The organization develops and documents specific criteria for what is considered significant change to the information system. NIST Special Publication 800-30 provides guidance on conducting risk assessment updates.\n
Enhancements
(0) None.\n
Compliance Mappings
ISO 17799 (legacy)
4.1
COBIT 4.1 (legacy)
PO9.4