12.2 Implement a risk-assessment process that:
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
• Identifies critical assets, threats, and vulnerabilities, and
• Results in a formal, documented analysis of risk.
Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
12.2.a Verify that an annual risk-assessment process is documented that:
• Identifies critical assets, threats, and vulnerabilities
• Results in a formal, documented analysis of risk
12.2.b Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.
A risk assessment enables an organization to identify threats and associated vulnerabilities with the potential to negatively impact their business. Examples of different risk considerations include cybercrime, web attacks, and POS malware.
Resources can then be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threat being realized.
Performing risk assessments at least annually and upon significant changes allows the organization to keep up to date with organizational changes and evolving threats, trends, and technologies.