The organization: RA-1a.
Develops, documents, and disseminates to Assignment: organization-defined personnel or roles: RA-1a.1.
A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and RA-1a.2.
Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and RA-1b.
Reviews and updates the current: RA-1b.1.
Risk assessment policy Assignment: organization-defined frequency; and RA-1b.2.
Risk assessment procedures Assignment: organization-defined frequency.