|
1
|
Risk Assessment and Management (CC-11000; annual audit)
- All of the company's information assets within the scope of applicable information security risk and all owners of such assets shall be identified.
- The acceptable level of information security risk for each of the company's operations shall be determined.
- The company shall conduct information security risk inspections at least once per year and keep the relevant records. Significant risks and control and management measures relating to operation (including risks in new products, new technologies and information systems) shall be covered by the risk assessment to ensure validity of company policies, procedures and control and management measures.
|