3.1 (d) Taking Action:
Agreed action needs to be taken on time and reported to the top management. The same also needs to be documented and audited from time to time.
3.1 (e) Monitoring:
Unless the implemented controls are monitored on frequent basis, the final objective cannot be achieved. One can only rest as long as control points are implemented and also tested from time to time to ensure they are still working – as external parameters are constantly changing ad ever challenging.
3.1 (f) Reporting / MIS:
Top management always must be kept in the loop. They need to know what the risks, how are they identified, measured, ranked, controlled, etc.. after all, the ultimate risks (responsibilities) lie on their (top management) shoulder.