Addressing security risks involves recognising the constraints which exist within the Organisation, which can have a drammatic effect on the selection of requirements for security controls.

Questions concerning constraints

Is finance available to cover the CAPEX and OPEX costs associated with implementing and operating a security control?

  • Will the secrity control prevent the business from operating ‘effectively’?
  • Are there time constraints?
  • Is the security control legal?
  • Will the organisation be able to accept the introduction of the security control? (e.g. culture)
  • Are there sufficient ‘people resource’ to implement and operate the control?
  • Will the implementation ‘fit’ into the existing ICT infrastructure?