We've updated our risk management process. The latest change introduces a "treatment in progress" status, indicating the team is currently undertaking mitigation tasks. Additionally, we've refined a few risk statuses for better accuracy, aligning them with ISO and NIST recommendations and incorporating valuable feedback received.
A risk is considered to be in an "Open" state immediately after creation before any risk assessment has been conducted.
Users can initiate the initial risk assessment and link any existing mitigating controls to the risk. Following this step, the risk is deemed to be in an "Assessed" state.
Users have the option to either create a mitigation task or add residual risk. If a mitigation task is created, the risk is considered to be in "Treatment in Progress" until the risk is closed.
Alternatively, if residual risk is added without creating a mitigation task, the risk is considered to be in a "Treated" state.
If a user adds a mitigation task and closes it, the risk status will change to 'treatment in progress'. If they then add a residual risk, the status will update to 'treated'.
However, if a user adds a mitigation task after the addition of residual risk, the risk state reverts to "Treatment in Progress" until all the mitigation tasks are completed.
Additionally, we are discontinuing the practice of automatically closing a risk post-residual risk assessment. Now, the risk will stay in the treated state unless a user chooses to close the risk from the actions menu on the risk detail page.
