Add instructions on how to add new security profiles

| SP-VI-1          | 0   | 1   | 0   | 0   | 1   | 0   | 1   | 1   | 1   | 1   | 0   |

| SP-VI-2          | 0   | 2   | 2   | 2   | 1   | 0   | 2   | 2   | 2   | 2   | 0   |

## C.7 How to add new security profiles

To add a new security profile, do the following:

1. Do a risk assessment on the category of product covered by the new security profile.

1. Determine the risk factors for the new security profile.

1. If there are any new threats, add them to the threats list along with their risk calculation formula.

1. If any new risk factors are necessary to calculate risks for the new security profile, add the risk factors and update the score for all the security profiles.

1. Use the risk factors of the new security profile to calculate which of the existing mitigations must be applied.

1. After the existing risk mitigations are applied, check if all threats are sufficiently mitigated. If not, add new mitigations until the threats have been reduced sufficiently.

1. Update all relevant mappings (e.g. security profile to risk mitigation sets).

1. Propose the new security profile as a contribution to the standard via the ETSI process.

# Annex D (informative): Risk evaluation guidance

## D.1 Explanation of Risk Modeling Approach