CCI-002994

Review and update the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.

Implementation Guidance

Determine if the risk management strategy is reviewed and updated [PM-09_ODP; the frequency at which to review and update the risk management strategy is defined] or as required to address Organizational changes.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; procedures addressing the development, implementation, review, and update of the risk management strategy; risk assessment results relevant to the risk management strategy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the development, implementation, review, and update of the risk management strategy; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for the development, implementation, review, and update of the risk management strategy; mechanisms supporting the development, implementation, review, and update of the risk management strategy].

The controls below (if any) were marked by NIST as being related to CCI-002994.