When planning risk mitigation strategies for an organization, several best practices can be used. These include:

• Reviewing historical documentation—Historical documentation includes previous documentation of risk assessments and BIAs, policies and procedures, and security incidents. Although the risks may have changed, many of the threats and vulnerabilities will have stayed the same.
• Including both a narrow and a broad focus—Specific risks and mitigation strategies for specific systems and functions can be identified, which represents a narrow focus. However, the focus must also be broadened to include the entire organization. For example, training and awareness programs help ensure the entire organization recognizes the importance of security.
• Ensuring that governing laws have been identified—Taking the time to understand the laws is important to determining compliance within the organization. If a law does apply to the organization, the organization needs to implement the steps necessary to ensure it is compliant.
• Redoing risk assessments when a control changes—Risk assessments are completed at a point in time. Therefore, if the control changes, the risk assessment is no longer valid.
• Including a CBA—CBAs provide justification for controls and help to determine their value. CBAs clearly demonstrate that a control should be purchased or that a control isn’t worth its cost.