I. Name the primary objective of the planning and risk assessment domain. The objective is to keep an eye on the entire information security program, in part by identifying and planning ongoing information security activities to reduce risk over time.
II. Review the following objectives of this domain:
• Establish a formal review process for the information security program that complements and supports both IT planning and strategic planning.
• Institute formal project identification, selection, planning, and management processes for follow-up activities that augment the current information security program.
• Coordinate with IT project teams to introduce risk assessment and review for all IT projects so that risks introduced by the launches of new IT projects are identified, documented, and factored into decisions about the projects.
•  Integrate a mindset of risk assessment throughout the organization that encourages other departments to perform risk assessment activities when any technology system is implemented or modified.
III. Examine that the risk assessment group also identifies and documents risks introduced by both IT projects and information security projects. The group also identifies and documents risks that may be latent in the present environment.