Question: If an auditor is asking what is the basis of the definition of QTL used for a given risk, what is your answer to this question? Example: For query latency we set the value to 9 days in our study, why it is not set to 5 or 15?
The strategies you can chose to answer this question could be:
- You may show the historical data (e.g., retrospective analysis) where query latency over 9 days led to dangerous consequences in a (similar) study(ies).
- You may document the various opinions of experts, asking “what limit is critical for a process query processing“, and document a “heatmap” of opinions with a focus around number 9.
- You may also use the strategy of “adaptive start”, i.e., you begin with best-guess “9 days” and react by adjustments of the thresholds (up and down), based on feedback of the system and SMEs.