RA-04 Risk Assessment Update

Control: The organization updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system.

Supplemental Guidance: The organization develops and documents specific criteria for what is considered significant change to the information system. NIST Special Publication 800-30 provides guidance on conducting risk assessment updates.

Control Enhancements: (0) None.

Baseline: LOW RA-4 MOD RA-4 HIGH RA-4

Family: Risk Assessment

Class: Management

ISO 17799 mapping: 4.1

COBIT 4.1 mapping: PO9.4

PCI-DSS v2 mapping: 12.1.3