- Consider the potential vulnerabilities or threats facing the organization.
- Describe of the risk each vulnerability or threat would have on the organization in terms of its people, network, data, or reputation.
- Explain each risk’s impact on the organization.
- Provide a defined mitigation for each vulnerability, such as an incident response plan, disaster recovery plan, or business continuity plan. Give a defined reason why a vulnerability or threat would not be mitigated, such as the use of a different risk control strategy, if appropriate.
