Information security risk schedule
Plain English Translation
Clause 8.2 acts as the schedule for your security health checks. While Clause 6.1.2 defines 'how' to calculate risk, Clause 8.2 mandates 'when' to do it. You must perform these assessments at planned intervals (typically annually) to catch slow-moving threats, and immediately whenever significant changes occur—such as a merger, a move to a new office, or deploying a major new software platform. The results must be documented to prove to auditors that you are proactively monitoring your threat landscape.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
Required Actions (scaleup)
Required Actions (enterprise)
- Implement continuous risk monitoring using GRC tools
- Trigger automated assessments when infrastructure configuration drifts significantly
- Conduct targeted assessments for specific departments or subsidiaries on a rolling schedule
It is the operational requirement to actually execute the risk assessment process defined in Clause 6.1.2. It mandates that assessments happen at specific times (intervals) and events (changes) and that results are recorded.
The standard requires 'planned intervals,' which the organization defines. Best practice is annually, but high-risk industries may require quarterly or biannual assessments.
You should conduct one according to your schedule (e.g., every October) OR whenever a significant change occurs (e.g., moving to AWS, acquiring a competitor, or a major new regulation).
Triggers include significant changes to assets, new threats (e.g., rise of AI attacks), changes in business scope, security incidents, or new legal obligations.
Results must be documented, typically in a Risk Assessment Report or an updated Risk Register, showing the risk owners, analysis of consequences/likelihood, and the final risk level. For example, WatchDog Security's Risk Register can help maintain a time-stamped record of updates, ownership, and treatment plans tied to each scheduled or change-triggered assessment.
Clause 6.1.2 is the planning phase where you define the methodology (criteria, rules). Clause 8.2 is the operation phase where you apply that methodology to get actual results.
Planned intervals are the regular, recurring times set by the organization to review risks, ensuring the risk picture doesn't become stale. Annual reviews are the most common interval.
Significant changes include new IT infrastructure, office relocations, mergers and acquisitions, new product launches involving sensitive data, or drastic changes in the threat landscape.
The hard part is consistency: teams forget to reassess risk when change happens, or they do it ad-hoc without a repeatable record. WatchDog Security's Compliance Center helps by tracking the control requirement, prompting reassessments when major changes or audit milestones occur, and keeping the resulting evidence (risk assessment outputs and sign-offs) organized for audit readiness.
A living register needs workflow: owners, review cadence, treatment decisions, and traceability from triggers to updated risk decisions. WatchDog Security's Risk Register supports ongoing updates with risk scoring, assigned owners, treatment plans, and reporting, which makes it easier to show that each scheduled or change-triggered assessment resulted in documented updates.
"The organization shall perform information security risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established in 6.1.2 a). The organization shall retain documented information of the results of the information security risk assessments."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2025-05-27 | WatchDog Security GRC Team | Initial publication |
