Is it acceptable to use an existing risk matrix of the organisation in order to comply with Part-IS or a new risk matrix should be designed and implemented?
Is it acceptable to use an existing risk matrix of the organisation in order to comply with Part-IS or a new risk matrix should be designed and implemented?
Answer
Part-IS does not require the use of a particular risk matrix. However, it should be kept in mind that a given risk matrix is acceptable as long as it fits the purpose of properly ranking information security risks with a potential impact on safety.
Last updated
22/08/2025