Cyber risk analyses are updated periodically and according to defined triggers, such as system changes, external events, and information from other model domains
Context and Guidance: Cyber risks that can affect IT, OT, and information assets should be analysed periodically or according to defined triggers to determine if criteria such as impact or probability have changed. An increased probability of a risk being realised may drive a change to the priority of the cyber risk and a different strategy to mitigate the cyber risk. For each cyber risk, the organisation should assign a date by which the risk must be reevaluated or a defined trigger that would drive reevaluation. Triggers may include a date on which an asset is no longer supported by a vendor or an internal metric that has exceeded a tolerance level.