0003954
ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition
International Organization for Standardization
International or National Standard
Free
ISO 27005:2022
ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks
2022-10-01
The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.
0003954
Free
International Organization for Standardization
International or National Standard
ISO 27005:2022
ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks
2022-10-01
The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4] | Testing | Detective | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3] | Business Processes | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
Establish, implement, and maintain a risk management policy. CC ID 17192 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6] | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2] | Audits and Risk Management | Detective | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)] | Establish Roles | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)] | Establish/Maintain Documentation | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)] | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3] | Audits and Risk Management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3] | Audits and Risk Management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7] | Communicate | Preventive | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3] | Testing | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Establish/Maintain Documentation | Detective | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Behavior | Preventive | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)] | Audits and Risk Management | Preventive | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1] | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8] | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)] | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)] | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)] | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)] | Process or Activity | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)] | Process or Activity | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15] | Process or Activity | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3] | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3] | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)] | Testing | Detective | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Establish/Maintain Documentation | Preventive | |
Include time information in the risk treatment plan. CC ID 16993 | Establish/Maintain Documentation | Preventive | |
Include allocation of resources in the risk treatment plan. CC ID 16989 | Establish/Maintain Documentation | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1] | Establish/Maintain Documentation | Corrective | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Communicate | Preventive | |
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Audits and Risk Management | Preventive | |
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Establish/Maintain Documentation | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3] | Business Processes | Preventive | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Establish Roles | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3] | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)] | Human Resources Management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)] | Business Processes | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10] | Establish/Maintain Documentation | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1] | Process or Activity | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)] | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Monitor and Evaluate Occurrences | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5] | Process or Activity | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3] | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6] | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2] | Business Processes | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Records Management | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6] | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2] | Audits and risk management | Detective | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3] | Audits and risk management | Preventive | |
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3] | Audits and risk management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3] | Audits and risk management | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)] | Audits and risk management | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1] | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8] | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)] | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3] | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3] | Audits and risk management | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)] | Leadership and high level objectives | Preventive | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3] | Audits and risk management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3] | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3] | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7] | Audits and risk management | Preventive | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)] | Audits and risk management | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4] | Leadership and high level objectives | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)] | Monitoring and measurement | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3] | Audits and risk management | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3] | Audits and risk management | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2] | Audits and risk management | Preventive | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3] | Audits and risk management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6] | Audits and risk management | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3] | Audits and risk management | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3] | Audits and risk management | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3] | Audits and risk management | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Audits and risk management | Detective | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Audits and risk management | Preventive | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3] | Audits and risk management | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3] | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3] | Audits and risk management | Detective | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3] | Audits and risk management | Preventive | |
Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Preventive | |
Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Preventive | |
Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5] | Audits and risk management | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1] | Audits and risk management | Corrective | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Audits and risk management | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6] | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3] | Human Resources management | Preventive | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)] | Human Resources management | Preventive | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Monitoring and measurement | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1] | Leadership and high level objectives | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)] | Audits and risk management | Detective | |
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15] | Audits and risk management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4] | Audits and risk management | Detective | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3] | Audits and risk management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)] | Audits and risk management | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4] | Audits and risk management | Testing | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6] | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2] | Audits and risk management | Audits and Risk Management | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Audits and risk management | Establish/Maintain Documentation | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)] | Audits and risk management | Process or Activity | |
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)] | Audits and risk management | Process or Activity | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)] | Audits and risk management | Audits and Risk Management | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)] | Audits and risk management | Process or Activity | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)] | Audits and risk management | Process or Activity | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)] | Audits and risk management | Audits and Risk Management | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)] | Audits and risk management | Testing | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)] | Leadership and high level objectives | Business Processes | |
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1] | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)] | Monitoring and measurement | Establish/Maintain Documentation | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3] | Audits and risk management | Business Processes | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a risk management policy. CC ID 17192 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)] | Audits and risk management | Establish Roles | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)] | Audits and risk management | Establish/Maintain Documentation | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4] | Audits and risk management | Establish/Maintain Documentation | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7] | Audits and risk management | Communicate | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3] | Audits and risk management | Testing | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Audits and risk management | Behavior | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)] | Audits and risk management | Audits and Risk Management | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1] | Audits and risk management | Audits and Risk Management | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8] | Audits and risk management | Audits and Risk Management | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15] | Audits and risk management | Process or Activity | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the risk treatment plan. CC ID 16991 | Audits and risk management | Establish/Maintain Documentation | |
Include time information in the risk treatment plan. CC ID 16993 | Audits and risk management | Establish/Maintain Documentation | |
Include allocation of resources in the risk treatment plan. CC ID 16989 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5] | Audits and risk management | Establish/Maintain Documentation | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4] | Audits and risk management | Communicate | |
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Audits and risk management | Audits and Risk Management | |
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3] | Audits and risk management | Establish/Maintain Documentation | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3] | Audits and risk management | Business Processes | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 | Human Resources management | Establish Roles | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3] | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)] | Human Resources management | Human Resources Management | |
Include the management structure in the duties and responsibilities for risk management. CC ID 13665 | Human Resources management | Human Resources Management | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5] | Operational management | Process or Activity | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3] | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6] | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2] | Operational management | Business Processes | |
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2] | Records management | Records Management |