Authority Document - Unified Compliance

International > International Organization for Standardization

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition

AD ID

0003954

AD STATUS

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

ISO 27005:2022

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks

EFFECTIVE

2022-10-01

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

URL

Click here

AD ID

0003954

AD STATUS

Free

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27005:2022

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks

EFFECTIVE

2022-10-01

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 67 Mandated Controls - bold
36 Implied Controls - italic 226 Implementation

Number of Controls

329 Total

Audits and risk management

221

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Establish Roles	Preventive
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Establish Roles	Preventive
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Establish/Maintain Documentation	Preventive
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Establish/Maintain Documentation	Preventive
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]	Testing	Detective
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Establish/Maintain Documentation	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Business Processes	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Business Processes	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]	Business Processes	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Establish/Maintain Documentation	Preventive
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and Risk Management	Preventive
Include regular updating in the risk management system. CC ID 14990	Business Processes	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]	Establish/Maintain Documentation	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Establish/Maintain Documentation	Preventive
Include data quality in the risk management strategies. CC ID 15308	Data and Information Management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Establish/Maintain Documentation	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Establish/Maintain Documentation	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]	Audits and Risk Management	Detective
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]	Audits and Risk Management	Detective
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]	Establish Roles	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]	Establish/Maintain Documentation	Preventive
Address past incidents in the risk assessment program. CC ID 12743	Audits and Risk Management	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Human Resources Management	Detective
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Establish/Maintain Documentation	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]	Audits and Risk Management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Establish/Maintain Documentation	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Communicate	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Communicate	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Acquisition/Sale of Assets or Services	Corrective
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Business Processes	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Business Processes	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Business Processes	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Process or Activity	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Establish/Maintain Documentation	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Establish/Maintain Documentation	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Establish/Maintain Documentation	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Establish/Maintain Documentation	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Communicate	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Establish/Maintain Documentation	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Establish/Maintain Documentation	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Establish/Maintain Documentation	Preventive
Use the risk taxonomy when managing risk. CC ID 12280	Behavior	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Establish/Maintain Documentation	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Establish/Maintain Documentation	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Establish/Maintain Documentation	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Establish/Maintain Documentation	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Communicate	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Establish/Maintain Documentation	Preventive
Analyze the organization's information security environment. CC ID 13122	Technical Security	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]	Establish/Maintain Documentation	Preventive
Document cybersecurity risks. CC ID 12281	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and Risk Management	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Establish/Maintain Documentation	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Establish/Maintain Documentation	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Human Resources Management	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and Risk Management	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]	Establish/Maintain Documentation	Preventive
Document organizational risk criteria. CC ID 12277	Establish/Maintain Documentation	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Technical Security	Preventive
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Investigate	Detective
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and Risk Management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and Risk Management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]	Audits and Risk Management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Establish/Maintain Documentation	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]	Audits and Risk Management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Business Processes	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Establish/Maintain Documentation	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Establish/Maintain Documentation	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Establish/Maintain Documentation	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Establish/Maintain Documentation	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and Risk Management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]	Communicate	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Establish/Maintain Documentation	Preventive
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]	Testing	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Establish/Maintain Documentation	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Establish/Maintain Documentation	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Establish/Maintain Documentation	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and Risk Management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Establish/Maintain Documentation	Detective
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and Risk Management	Preventive
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Establish/Maintain Documentation	Detective
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and Risk Management	Preventive
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Establish/Maintain Documentation	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Communicate	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and Risk Management	Detective
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Communicate	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Business Processes	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Behavior	Preventive
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Investigate	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]	Audits and Risk Management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and Risk Management	Detective
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Establish/Maintain Documentation	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Establish/Maintain Documentation	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Establish/Maintain Documentation	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Establish/Maintain Documentation	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Establish/Maintain Documentation	Preventive
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Communicate	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Establish/Maintain Documentation	Preventive
Document organizational risk tolerance in a risk register. CC ID 09961	Establish/Maintain Documentation	Preventive
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Business Processes	Preventive
Review the Business Impact Analysis, as necessary. CC ID 12774	Business Processes	Preventive
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]	Audits and Risk Management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]	Audits and Risk Management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and Risk Management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]	Process or Activity	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]	Process or Activity	Detective
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]	Audits and Risk Management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Investigate	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]	Process or Activity	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]	Audits and Risk Management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]	Process or Activity	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and Risk Management	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Actionable Reports or Measurements	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and Risk Management	Detective
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]	Establish/Maintain Documentation	Preventive
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Investigate	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3]	Establish/Maintain Documentation	Preventive
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]	Process or Activity	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Behavior	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]	Establish/Maintain Documentation	Detective
Document the results of the gap analysis. CC ID 16271	Establish/Maintain Documentation	Preventive
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]	Audits and Risk Management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Process or Activity	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Process or Activity	Detective
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and Risk Management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]	Testing	Detective
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and Risk Management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Establish/Maintain Documentation	Preventive
Include time information in the risk treatment plan. CC ID 16993	Establish/Maintain Documentation	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Establish/Maintain Documentation	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Establish/Maintain Documentation	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and Risk Management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and Risk Management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and Risk Management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]	Establish/Maintain Documentation	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]	Establish/Maintain Documentation	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Establish/Maintain Documentation	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Establish/Maintain Documentation	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Establish/Maintain Documentation	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Establish/Maintain Documentation	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Establish/Maintain Documentation	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978	Establish/Maintain Documentation	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Establish/Maintain Documentation	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Establish/Maintain Documentation	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Communicate	Preventive
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Audits and Risk Management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Establish/Maintain Documentation	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Establish/Maintain Documentation	Preventive
Include risk responses in the risk management program. CC ID 13195	Establish/Maintain Documentation	Preventive
Document residual risk in a residual risk report. CC ID 13664	Establish/Maintain Documentation	Corrective
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]	Business Processes	Preventive
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Establish/Maintain Documentation	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Establish/Maintain Documentation	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Business Processes	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and Risk Management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and Risk Management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and Risk Management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Communicate	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Communicate	Preventive
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Establish/Maintain Documentation	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Establish/Maintain Documentation	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Establish/Maintain Documentation	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Communicate	Preventive
Evaluate the cyber insurance market. CC ID 12695	Business Processes	Preventive
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Business Processes	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Business Processes	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Establish/Maintain Documentation	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Establish/Maintain Documentation	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Establish/Maintain Documentation	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Establish/Maintain Documentation	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Establish/Maintain Documentation	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Communicate	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Establish/Maintain Documentation	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Establish/Maintain Documentation	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Establish/Maintain Documentation	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Establish/Maintain Documentation	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Communicate	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Human Resources Management	Preventive
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Process or Activity	Detective
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Communicate	Preventive

Human Resources management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807	Establish Roles	Preventive
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]	Human Resources Management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]	Human Resources Management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources Management	Preventive

Leadership and high level objectives

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]	Business Processes	Preventive
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Establish/Maintain Documentation	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Establish/Maintain Documentation	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Establish/Maintain Documentation	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Establish/Maintain Documentation	Preventive
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Communicate	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Establish/Maintain Documentation	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Establish/Maintain Documentation	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Establish/Maintain Documentation	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Establish/Maintain Documentation	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Establish/Maintain Documentation	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Establish/Maintain Documentation	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Establish/Maintain Documentation	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Establish/Maintain Documentation	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Establish/Maintain Documentation	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Establish/Maintain Documentation	Detective
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Establish Roles	Preventive
Approve all compliance documents. CC ID 06286	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Establish/Maintain Documentation	Preventive
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Establish/Maintain Documentation	Preventive
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]	Establish/Maintain Documentation	Preventive
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]	Process or Activity	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]	Establish/Maintain Documentation	Preventive
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitor and Evaluate Occurrences	Preventive
Monitor and evaluate environmental threats. CC ID 13481	Monitor and Evaluate Occurrences	Detective
Implement a fraud detection system. CC ID 13081	Business Processes	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Process or Activity	Corrective
Monitor for new vulnerabilities. CC ID 06843	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Testing	Preventive
Test compliance controls for proper functionality. CC ID 00660	Testing	Detective
Establish, implement, and maintain a system security plan. CC ID 01922	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274	Establish/Maintain Documentation	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Establish/Maintain Documentation	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Testing	Detective
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Establish/Maintain Documentation	Preventive
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Actionable Reports or Measurements	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Actionable Reports or Measurements	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Actionable Reports or Measurements	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Actionable Reports or Measurements	Detective
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Monitor and Evaluate Occurrences	Preventive

Operational management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]	Process or Activity	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]	Business Processes	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Determine how long to keep records and logs before disposing them. CC ID 11661	Process or Activity	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Records Management	Preventive

Common Controls and
mandates by Type 67 Mandated Controls - bold
36 Implied Controls - italic 226 Implementation

Number of Controls

329 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Preventive
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Corrective

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Detective
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Detective
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Detective
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Detective
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Detective

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Preventive
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and risk management	Detective
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]	Audits and risk management	Detective
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]	Audits and risk management	Detective
Address past incidents in the risk assessment program. CC ID 12743	Audits and risk management	Preventive
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Preventive
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and risk management	Preventive
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Preventive
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Detective
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]	Audits and risk management	Preventive
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]	Audits and risk management	Preventive
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and risk management	Preventive
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Preventive
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Preventive
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Preventive
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Detective
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]	Audits and risk management	Preventive
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Detective
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]	Audits and risk management	Preventive
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]	Audits and risk management	Preventive
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]	Audits and risk management	Detective
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]	Audits and risk management	Detective
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Detective
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Detective
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]	Audits and risk management	Preventive
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Preventive
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Preventive
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Preventive
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and risk management	Preventive
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and risk management	Preventive
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Detective
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Detective
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Preventive

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Use the risk taxonomy when managing risk. CC ID 12280	Audits and risk management	Preventive
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Audits and risk management	Preventive
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Preventive

Business Processes

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]	Leadership and high level objectives	Preventive
Implement a fraud detection system. CC ID 13081	Monitoring and measurement	Preventive
Approve the system security plan. CC ID 14241	Monitoring and measurement	Preventive
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Detective
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Preventive
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]	Audits and risk management	Preventive
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Preventive
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Audits and risk management	Preventive
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Audits and risk management	Preventive
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Audits and risk management	Preventive
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Audits and risk management	Preventive
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Audits and risk management	Preventive
Review the Business Impact Analysis, as necessary. CC ID 12774	Audits and risk management	Preventive
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]	Audits and risk management	Preventive
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Preventive
Evaluate the cyber insurance market. CC ID 12695	Audits and risk management	Preventive
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Audits and risk management	Preventive
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]	Operational management	Preventive

Communicate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Preventive
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Preventive
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Preventive
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Preventive
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Preventive
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]	Audits and risk management	Preventive
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Preventive
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Preventive
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Preventive
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Preventive
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Preventive
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Preventive
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Preventive

Data and Information Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Preventive
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Audits and risk management	Preventive
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Audits and risk management	Preventive
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]	Audits and risk management	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807	Human Resources management	Preventive

Establish/Maintain Documentation

179

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Preventive
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Preventive
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Leadership and high level objectives	Preventive
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Detective
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Leadership and high level objectives	Preventive
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Leadership and high level objectives	Preventive
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Preventive
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Preventive
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Preventive
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Preventive
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Corrective
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Preventive
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Preventive
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Preventive
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Preventive
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Preventive
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Detective
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Preventive
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Leadership and high level objectives	Preventive
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Preventive
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Preventive
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Monitoring and measurement	Preventive
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Preventive
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Preventive
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Preventive
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Preventive
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Preventive
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Preventive
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Preventive
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Preventive
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Preventive
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Preventive
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Preventive
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Preventive
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Preventive
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Preventive
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Preventive
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Monitoring and measurement	Preventive
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Audits and risk management	Preventive
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Audits and risk management	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]	Audits and risk management	Preventive
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Preventive
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Preventive
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]	Audits and risk management	Preventive
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Preventive
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Preventive
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Preventive
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]	Audits and risk management	Preventive
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]	Audits and risk management	Preventive
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Audits and risk management	Preventive
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]	Audits and risk management	Preventive
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Preventive
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Preventive
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Preventive
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Preventive
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Preventive
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Preventive
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Preventive
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Preventive
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Preventive
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Audits and risk management	Preventive
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Preventive
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Preventive
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Preventive
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Preventive
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Preventive
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Preventive
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Preventive
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Preventive
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]	Audits and risk management	Preventive
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Audits and risk management	Preventive
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]	Audits and risk management	Preventive
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]	Audits and risk management	Preventive
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Audits and risk management	Preventive
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]	Audits and risk management	Preventive
Document cybersecurity risks. CC ID 12281	Audits and risk management	Preventive
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Audits and risk management	Preventive
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Audits and risk management	Preventive
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Audits and risk management	Preventive
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]	Audits and risk management	Preventive
Include language that is easy to understand in the risk assessment report. CC ID 06461	Audits and risk management	Preventive
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]	Audits and risk management	Preventive
Document organizational risk criteria. CC ID 12277	Audits and risk management	Preventive
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Preventive
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Audits and risk management	Preventive
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Audits and risk management	Preventive
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Audits and risk management	Preventive
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Audits and risk management	Preventive
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Audits and risk management	Preventive
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Audits and risk management	Preventive
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Preventive
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Preventive
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Preventive
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Detective
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Audits and risk management	Detective
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Preventive
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Audits and risk management	Preventive
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Preventive
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Preventive
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Preventive
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Preventive
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Preventive
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Audits and risk management	Preventive
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Preventive
Document organizational risk tolerance in a risk register. CC ID 09961	Audits and risk management	Preventive
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]	Audits and risk management	Preventive
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3]	Audits and risk management	Preventive
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]	Audits and risk management	Detective
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Preventive
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]	Audits and risk management	Preventive
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Preventive
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Preventive
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Preventive
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Preventive
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]	Audits and risk management	Preventive
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]	Audits and risk management	Corrective
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Audits and risk management	Preventive
Include change control processes in the risk treatment plan. CC ID 11981	Audits and risk management	Preventive
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Audits and risk management	Preventive
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Audits and risk management	Preventive
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Preventive
Include risk assessment results in the risk treatment plan. CC ID 11978	Audits and risk management	Preventive
Include a description of usage in the risk treatment plan. CC ID 11977	Audits and risk management	Preventive
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Preventive
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Audits and risk management	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705	Audits and risk management	Corrective
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Audits and risk management	Preventive
Include risk responses in the risk management program. CC ID 13195	Audits and risk management	Preventive
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Corrective
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Preventive
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Preventive
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Audits and risk management	Preventive
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Preventive
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Preventive
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Preventive
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Preventive
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Preventive
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Preventive
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Preventive
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Preventive
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Preventive
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Preventive
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Preventive
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Preventive
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Preventive
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Preventive
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Preventive
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Preventive
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Detective
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Preventive
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Preventive
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]	Human Resources management	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]	Human Resources management	Preventive
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Detective
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Detective
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Detective
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Preventive

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitoring and measurement	Preventive
Monitor and evaluate environmental threats. CC ID 13481	Monitoring and measurement	Detective
Monitor for new vulnerabilities. CC ID 06843	Monitoring and measurement	Preventive
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitoring and measurement	Detective
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Monitoring and measurement	Preventive
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Preventive
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Preventive

Process or Activity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]	Leadership and high level objectives	Preventive
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Corrective
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Preventive
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Preventive
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]	Audits and risk management	Detective
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]	Audits and risk management	Detective
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]	Audits and risk management	Preventive
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Detective
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Detective
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Detective
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]	Operational management	Preventive
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Records management	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Preventive
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Monitoring and measurement	Preventive
Test compliance controls for proper functionality. CC ID 00660	Monitoring and measurement	Detective
Establish, implement, and maintain a system security plan. CC ID 01922	Monitoring and measurement	Preventive
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Detective
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Detective
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Detective
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Preventive
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Monitoring and measurement	Detective
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]	Audits and risk management	Detective
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]	Audits and risk management	Preventive
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]	Audits and risk management	Detective

Common Controls and
mandates by Classification 67 Mandated Controls - bold
36 Implied Controls - italic 226 Implementation

Number of Controls

329 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771	Leadership and high level objectives	Establish/Maintain Documentation
Update or adjust fraud detection systems, as necessary. CC ID 13684	Monitoring and measurement	Process or Activity
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571	Audits and risk management	Acquisition/Sale of Assets or Services
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]	Audits and risk management	Establish/Maintain Documentation
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705	Audits and risk management	Establish/Maintain Documentation
Document residual risk in a residual risk report. CC ID 13664	Audits and risk management	Establish/Maintain Documentation

Detective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Map in scope assets and in scope records to external requirements. CC ID 12189	Leadership and high level objectives	Establish/Maintain Documentation
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867	Leadership and high level objectives	Establish/Maintain Documentation
Monitor and evaluate environmental threats. CC ID 13481	Monitoring and measurement	Monitor and Evaluate Occurrences
Test compliance controls for proper functionality. CC ID 00660	Monitoring and measurement	Testing
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Testing
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Testing
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Testing
Analyze system audit reports and determine the need to perform more tests. CC ID 00666	Monitoring and measurement	Testing
Monitor devices continuously for conformance with production specifications. CC ID 06201	Monitoring and measurement	Monitor and Evaluate Occurrences
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659	Monitoring and measurement	Actionable Reports or Measurements
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571	Monitoring and measurement	Actionable Reports or Measurements
Review the risk assessments as compared to the in scope controls. CC ID 06978 [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]	Audits and risk management	Testing
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336	Audits and risk management	Business Processes
Analyze the risk management strategy for addressing requirements. CC ID 12926	Audits and risk management	Audits and Risk Management
Analyze the risk management strategy for addressing threats. CC ID 12925 [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]	Audits and risk management	Audits and Risk Management
Analyze the risk management strategy for addressing opportunities. CC ID 12924 [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]	Audits and risk management	Audits and Risk Management
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306	Audits and risk management	Human Resources Management
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056	Audits and risk management	Investigate
Review the risk profiles, as necessary. CC ID 16561	Audits and risk management	Audits and Risk Management
Update the risk assessment upon discovery of a new threat. CC ID 00708	Audits and risk management	Establish/Maintain Documentation
Update the risk assessment upon changes to the risk profile. CC ID 11627 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Audits and risk management	Establish/Maintain Documentation
Conduct external audits of risk assessments, as necessary. CC ID 13308	Audits and risk management	Audits and Risk Management
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491	Audits and risk management	Investigate
Conduct a Business Impact Analysis, as necessary. CC ID 01147	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172 [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with individuals. CC ID 17170 [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k) Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9 When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a) When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c) Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4 {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e) When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g) {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d) {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]	Audits and risk management	Audits and Risk Management
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173	Audits and risk management	Investigate
Assess the potential level of business impact risk associated with non-compliance. CC ID 17169 [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]	Audits and risk management	Process or Activity
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g) When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with insider threats. CC ID 06468	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with the natural environment. CC ID 17171 [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]	Audits and risk management	Process or Activity
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8 When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j) {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]	Audits and risk management	Audits and Risk Management
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470	Audits and risk management	Actionable Reports or Measurements
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471	Audits and risk management	Audits and Risk Management
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850	Audits and risk management	Process or Activity
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849	Audits and risk management	Process or Activity
Determine the effectiveness of risk control measures. CC ID 06601 [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]	Audits and risk management	Testing
Analyze the impact of artificial intelligence systems on society. CC ID 16317	Audits and risk management	Audits and Risk Management
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316	Audits and risk management	Audits and Risk Management
Analyze supply chain risk management procedures, as necessary. CC ID 13198	Audits and risk management	Process or Activity
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone

Preventive

268

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]	Leadership and high level objectives	Business Processes
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a policy and procedure management program. CC ID 06285	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain an Authority Document list. CC ID 07113 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Leadership and high level objectives	Establish/Maintain Documentation
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901	Leadership and high level objectives	Communicate
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312	Leadership and high level objectives	Establish/Maintain Documentation
Classify controls according to their preventive, detective, or corrective status. CC ID 06436	Leadership and high level objectives	Establish/Maintain Documentation
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727	Leadership and high level objectives	Establish/Maintain Documentation
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774	Leadership and high level objectives	Establish/Maintain Documentation
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866	Leadership and high level objectives	Establish/Maintain Documentation
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773	Leadership and high level objectives	Establish/Maintain Documentation
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772	Leadership and high level objectives	Establish/Maintain Documentation
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956	Leadership and high level objectives	Establish Roles
Approve all compliance documents. CC ID 06286	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a compliance exception standard. CC ID 01628	Leadership and high level objectives	Establish/Maintain Documentation
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a strategic plan. CC ID 12784	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a decision management strategy. CC ID 06913	Leadership and high level objectives	Establish/Maintain Documentation
Include cost benefit analysis in the decision management strategy. CC ID 14014 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]	Leadership and high level objectives	Establish/Maintain Documentation
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b) The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d) Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]	Monitoring and measurement	Establish/Maintain Documentation
Monitor the organization's exposure to threats, as necessary. CC ID 06494	Monitoring and measurement	Monitor and Evaluate Occurrences
Implement a fraud detection system. CC ID 13081	Monitoring and measurement	Business Processes
Monitor for new vulnerabilities. CC ID 06843	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a compliance testing strategy. CC ID 00659	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833	Monitoring and measurement	Testing
Establish, implement, and maintain a system security plan. CC ID 01922	Monitoring and measurement	Testing
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Establish/Maintain Documentation
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Establish/Maintain Documentation
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Establish/Maintain Documentation
Include cryptographic key management procedures in the system security plan. CC ID 17029	Monitoring and measurement	Establish/Maintain Documentation
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Establish/Maintain Documentation
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Establish/Maintain Documentation
Include backup and recovery procedures in the system security plan. CC ID 17043	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Establish/Maintain Documentation
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Communicate
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Establish/Maintain Documentation
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Establish/Maintain Documentation
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Establish/Maintain Documentation
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Process or Activity
Include security controls in the system security plan. CC ID 14239	Monitoring and measurement	Establish/Maintain Documentation
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Establish/Maintain Documentation
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Establish/Maintain Documentation
Approve the system security plan. CC ID 14241	Monitoring and measurement	Business Processes
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Establish/Maintain Documentation
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Establish/Maintain Documentation
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Establish/Maintain Documentation
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Testing
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain risk management metrics. CC ID 01656 [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8 The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain compliance program metrics. CC ID 11625 [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]	Monitoring and measurement	Monitor and Evaluate Occurrences
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678	Audits and risk management	Establish Roles
Define and assign the external auditor's roles and responsibilities. CC ID 00683	Audits and risk management	Establish Roles
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188	Audits and risk management	Establish/Maintain Documentation
Review external auditor outsourcing contracts and engagement letters. CC ID 01189	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Include the scope of risk management activities in the risk management program. CC ID 13658	Audits and risk management	Establish/Maintain Documentation
Integrate the risk management program with the organization's business activities. CC ID 13661	Audits and risk management	Business Processes
Integrate the risk management program into daily business decision-making. CC ID 13659 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]	Audits and risk management	Business Processes
Include managing mobile risks in the risk management program. CC ID 13535	Audits and risk management	Establish/Maintain Documentation
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992	Audits and risk management	Audits and Risk Management
Include regular updating in the risk management system. CC ID 14990	Audits and risk management	Business Processes
Establish, implement, and maintain risk management strategies. CC ID 13209 [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1 {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2 {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Include off-site storage of supplies in the risk management strategies. CC ID 13221	Audits and risk management	Establish/Maintain Documentation
Include data quality in the risk management strategies. CC ID 15308	Audits and risk management	Data and Information Management
Include the use of alternate service providers in the risk management strategies. CC ID 13217	Audits and risk management	Establish/Maintain Documentation
Include minimizing service interruptions in the risk management strategies. CC ID 13215	Audits and risk management	Establish/Maintain Documentation
Include off-site storage in the risk mitigation strategies. CC ID 13213	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]	Audits and risk management	Establish Roles
Establish, implement, and maintain a risk assessment program. CC ID 00687 [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1 The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]	Audits and risk management	Establish/Maintain Documentation
Address past incidents in the risk assessment program. CC ID 12743	Audits and risk management	Audits and Risk Management
Include the need for risk assessments in the risk assessment program. CC ID 06447 [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Include the information flow of restricted data in the risk assessment program. CC ID 12339	Audits and risk management	Establish/Maintain Documentation
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1 In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3 In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7 The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6 The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3 Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain insurance requirements. CC ID 16562	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572	Audits and risk management	Communicate
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567	Audits and risk management	Communicate
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878	Audits and risk management	Business Processes
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877	Audits and risk management	Business Processes
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903	Audits and risk management	Business Processes
Address cybersecurity risks in the risk assessment program. CC ID 13193	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830	Audits and risk management	Process or Activity
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681	Audits and risk management	Establish/Maintain Documentation
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371	Audits and risk management	Establish/Maintain Documentation
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674	Audits and risk management	Establish/Maintain Documentation
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313	Audits and risk management	Communicate
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370	Audits and risk management	Establish/Maintain Documentation
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671	Audits and risk management	Establish/Maintain Documentation
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635	Audits and risk management	Establish/Maintain Documentation
Use the risk taxonomy when managing risk. CC ID 12280	Audits and risk management	Behavior
Establish, implement, and maintain a risk assessment policy. CC ID 14026	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the risk assessment policy. CC ID 14121	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the risk assessment policy. CC ID 14120	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the risk assessment policy. CC ID 14119	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk assessment policy. CC ID 14118	Audits and risk management	Establish/Maintain Documentation
Include the scope in the risk assessment policy. CC ID 14117	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the risk assessment policy. CC ID 14116	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115	Audits and risk management	Communicate
Establish, implement, and maintain risk assessment procedures. CC ID 06446	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3 {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4 Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7 {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5 {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account information classification. CC ID 06477 [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3 Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478	Audits and risk management	Establish/Maintain Documentation
Analyze the organization's information security environment. CC ID 13122	Audits and risk management	Technical Security
Employ risk assessment procedures that take into account the target environment. CC ID 06479 [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]	Audits and risk management	Establish/Maintain Documentation
Document cybersecurity risks. CC ID 12281	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that take into account risk factors. CC ID 16560	Audits and risk management	Audits and Risk Management
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342	Audits and risk management	Establish/Maintain Documentation
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341	Audits and risk management	Establish/Maintain Documentation
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153	Audits and risk management	Human Resources Management
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157	Audits and risk management	Audits and Risk Management
Include language that is easy to understand in the risk assessment report. CC ID 06461	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e) Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d) Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Document organizational risk criteria. CC ID 12277	Audits and risk management	Establish/Maintain Documentation
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699	Audits and risk management	Technical Security
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443	Audits and risk management	Audits and Risk Management
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]	Audits and risk management	Audits and Risk Management
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600	Audits and risk management	Establish/Maintain Documentation
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2 Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10 Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4 The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2 The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]	Audits and risk management	Audits and Risk Management
Approve the threat and risk classification scheme. CC ID 15693	Audits and risk management	Business Processes
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448	Audits and risk management	Establish/Maintain Documentation
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462	Audits and risk management	Establish/Maintain Documentation
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449	Audits and risk management	Establish/Maintain Documentation
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450	Audits and risk management	Establish/Maintain Documentation
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451	Audits and risk management	Establish/Maintain Documentation
Automate as much of the risk assessment program, as necessary. CC ID 06459	Audits and risk management	Audits and Risk Management
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]	Audits and risk management	Communicate
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458	Audits and risk management	Establish/Maintain Documentation
Perform risk assessments for all target environments, as necessary. CC ID 06452 [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2 {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]	Audits and risk management	Testing
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241	Audits and risk management	Establish/Maintain Documentation
Include physical assets in the scope of the risk assessment. CC ID 13075	Audits and risk management	Establish/Maintain Documentation
Include the results of the risk assessment in the risk assessment report. CC ID 06481	Audits and risk management	Establish/Maintain Documentation
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109	Audits and risk management	Audits and Risk Management
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154	Audits and risk management	Audits and Risk Management
Review the risk to the audit function when the audit personnel status changes. CC ID 01153	Audits and risk management	Audits and Risk Management
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312	Audits and risk management	Establish/Maintain Documentation
Create a risk assessment report based on the risk assessment results. CC ID 15695 [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633	Audits and risk management	Communicate
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313	Audits and risk management	Communicate
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453	Audits and risk management	Business Processes
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Audits and risk management	Behavior
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a) The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3 The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]	Audits and risk management	Audits and Risk Management
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224	Audits and risk management	Establish/Maintain Documentation
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264	Audits and risk management	Establish/Maintain Documentation
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223	Audits and risk management	Establish/Maintain Documentation
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222	Audits and risk management	Establish/Maintain Documentation
Include pandemic risks in the Business Impact Analysis. CC ID 13219	Audits and risk management	Establish/Maintain Documentation
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300	Audits and risk management	Communicate
Establish, implement, and maintain a risk register. CC ID 14828	Audits and risk management	Establish/Maintain Documentation
Document organizational risk tolerance in a risk register. CC ID 09961	Audits and risk management	Establish/Maintain Documentation
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962	Audits and risk management	Business Processes
Review the Business Impact Analysis, as necessary. CC ID 12774	Audits and risk management	Business Processes
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]	Audits and risk management	Audits and Risk Management
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4 In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5 Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3 {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]	Audits and risk management	Audits and Risk Management
Identify the material risks in the risk assessment report. CC ID 06482	Audits and risk management	Audits and Risk Management
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4 It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3 An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4 {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g) An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h) The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13 {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h) Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3 Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5 The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3 Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887	Audits and risk management	Investigate
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1 Action: Risk treatment options should be chosen. § 8.2 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Approve the risk acceptance level, as necessary. CC ID 17168 [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]	Audits and risk management	Process or Activity
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849	Audits and risk management	Behavior
Document the results of the gap analysis. CC ID 16271	Audits and risk management	Establish/Maintain Documentation
Prioritize and select controls based on the risk assessment findings. CC ID 00707 [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2 Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3 The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2 Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]	Audits and risk management	Audits and Risk Management
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822	Audits and risk management	Audits and Risk Management
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946	Audits and risk management	Audits and Risk Management
Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2 An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f) {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2 Action: Formulate risk treatment plan. § 8.6.1 ¶ 3 Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3 {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2 Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the risk treatment plan. CC ID 16991	Audits and risk management	Establish/Maintain Documentation
Include time information in the risk treatment plan. CC ID 16993	Audits and risk management	Establish/Maintain Documentation
Include allocation of resources in the risk treatment plan. CC ID 16989	Audits and risk management	Establish/Maintain Documentation
Include the date of the risk assessment in the risk treatment plan. CC ID 16321	Audits and risk management	Establish/Maintain Documentation
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320	Audits and risk management	Audits and Risk Management
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835	Audits and risk management	Audits and Risk Management
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834	Audits and risk management	Audits and Risk Management
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]	Audits and risk management	Establish/Maintain Documentation
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982	Audits and risk management	Establish/Maintain Documentation
Include change control processes in the risk treatment plan. CC ID 11981	Audits and risk management	Establish/Maintain Documentation
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980	Audits and risk management	Establish/Maintain Documentation
Include the implemented risk management controls in the risk treatment plan. CC ID 11979	Audits and risk management	Establish/Maintain Documentation
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620	Audits and risk management	Establish/Maintain Documentation
Include risk assessment results in the risk treatment plan. CC ID 11978	Audits and risk management	Establish/Maintain Documentation
Include a description of usage in the risk treatment plan. CC ID 11977	Audits and risk management	Establish/Maintain Documentation
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]	Audits and risk management	Communicate
Approve the risk treatment plan. CC ID 13495 [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3 Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Audits and risk management	Audits and Risk Management
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457	Audits and risk management	Establish/Maintain Documentation
Review and approve the risk assessment findings. CC ID 06485 [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]	Audits and risk management	Establish/Maintain Documentation
Include risk responses in the risk management program. CC ID 13195	Audits and risk management	Establish/Maintain Documentation
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]	Audits and risk management	Business Processes
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220	Audits and risk management	Establish/Maintain Documentation
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255	Audits and risk management	Establish/Maintain Documentation
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827	Audits and risk management	Audits and Risk Management
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832	Audits and risk management	Communicate
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829	Audits and risk management	Communicate
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991	Audits and risk management	Establish/Maintain Documentation
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276	Audits and risk management	Establish/Maintain Documentation
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825	Audits and risk management	Communicate
Evaluate the cyber insurance market. CC ID 12695	Audits and risk management	Business Processes
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694	Audits and risk management	Business Processes
Acquire cyber insurance, as necessary. CC ID 12693	Audits and risk management	Business Processes
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830	Audits and risk management	Establish/Maintain Documentation
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828	Audits and risk management	Monitor and Evaluate Occurrences
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663	Audits and risk management	Establish/Maintain Documentation
Include compliance requirements in the supply chain risk management policy. CC ID 14711	Audits and risk management	Establish/Maintain Documentation
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710	Audits and risk management	Establish/Maintain Documentation
Include management commitment in the supply chain risk management policy. CC ID 14709	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708	Audits and risk management	Establish/Maintain Documentation
Include the scope in the supply chain risk management policy. CC ID 14707	Audits and risk management	Establish/Maintain Documentation
Include the purpose in the supply chain risk management policy. CC ID 14706	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662	Audits and risk management	Communicate
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713	Audits and risk management	Establish/Maintain Documentation
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619	Audits and risk management	Establish/Maintain Documentation
Include dates in the supply chain risk management plan. CC ID 15617	Audits and risk management	Establish/Maintain Documentation
Include implementation milestones in the supply chain risk management plan. CC ID 15615	Audits and risk management	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613	Audits and risk management	Establish/Maintain Documentation
Include supply chain risk management procedures in the risk management program. CC ID 13190	Audits and risk management	Establish/Maintain Documentation
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712	Audits and risk management	Communicate
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199	Audits and risk management	Human Resources Management
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792	Audits and risk management	Communicate
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807	Human Resources management	Establish Roles
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3 Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]	Human Resources management	Human Resources Management
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4 An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]	Human Resources management	Human Resources Management
Include the management structure in the duties and responsibilities for risk management. CC ID 13665	Human Resources management	Human Resources Management
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]	Operational management	Process or Activity
Establish, implement, and maintain an internal control framework. CC ID 00820	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security program. CC ID 00812	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378 [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5 The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042 [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a) {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]	Operational management	Business Processes
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Process or Activity
Retain records in accordance with applicable requirements. CC ID 00968 [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2 {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]	Records management	Records Management

International > International Organization for Standardization

ISO/IEC 27005﻿: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition

Important Notice

The process we used to tag and map this document

Controls and asociated Citations breakdown

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition