34The Results Of The [Information] Risk Assessments (Clause 8.2) The organization shall perform information security risk assessments at planned intervals or when significant
changes are proposed or occur, taking account of the criteria established. The organization shall retain documented information of the results of the information security risk assessments.
The Decisions Regarding [Information] Risk Treatment (Clause 8.3) The organization shall implement the information security risk treatment plan. The organization shall retain documented information of the results of the information security risk treatment.
35Risk Treatment Options Based On ISO/IEC 27005 Evidence Of The Monitoring And Measurement Of Information Security (Clause 9.1) The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine
• what needs to be monitored and measured, including information security
processes and controls • the methods for monitoring, measurement,
analysis and evaluation, as applicable, to ensure valid results
• when the monitoring and
measuring shall be performed • who shall monitor and measure
• when the results from monitoring and measurement
36shall
be analysed and evaluated and • who shall analyse and evaluate these results. The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.
Share with your friends: 
