Page 241 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 241
analyses performed to assess these risks. For the quantitative analysis,
the actual AV, EF, ARO, SLE, and ALE figures should be included. For
the qualitative analysis, the thought process behind the risk analysis
should be provided to the reader. It’s important to note that the risk
assessment must be updated on a regular basis because it reflects a
point-in-time assessment.
Risk Acceptance/Mitigation
The risk acceptance/mitigation section of the BCP documentation
contains the outcome of the strategy development portion of the BCP
process. It should cover each risk identified in the risk analysis portion
of the document and outline one of two thought processes.
For risks that were deemed acceptable, it should outline the
reasons the risk was considered acceptable as well as potential
future events that might warrant reconsideration of this
determination.
For risks that were deemed unacceptable, it should outline the risk
management provisions and processes put into place to reduce the
risk to the organization’s continued viability.
It’s far too easy to look at a difficult risk mitigation
challenge and say “we accept this risk” before moving on to easier
things. Business continuity planners should resist these statements
and ask business leaders to formally document their risk
acceptance decisions. If auditors later scrutinize your business
continuity plan, they will most certainly look for formal artifacts of
any risk acceptance decisions made in the BCP process.
Vital Records Program
The BCP documentation should also outline a vital records program
for the organization. This document states where critical business
records will be stored and the procedures for making and storing
