Risk responses (such as mitigate, accept, avoid, or transfer) are reviewed periodically by leadership to determine whether they are still appropriate
Context and Guidance: Risk responses and defined methods to implement risk responses should be reviewed periodically to determine if they are still appropriate and effective at managing cyber risk for the organisation. Changes in the operational environment such as new technology, new services, or new strategic partnerships may cause the organisation to modify existing response strategies, create new response strategies, or retire response strategies.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-4a, RISK-4b, RISK-4e.