Back

International > International Organization for Standardization

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition



AD ID

0003954

AD STATUS

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

Free

SYNONYMS

ISO 27005:2022

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks

EFFECTIVE

2022-10-01

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.

AD ID

0003954

AD STATUS

Free

ORIGINATOR

International Organization for Standardization

TYPE

International or National Standard

AVAILABILITY

SYNONYMS

ISO 27005:2022

ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks

EFFECTIVE

2022-10-01

ADDED

The document as a whole was last reviewed and released on 2024-08-09T00:00:00-0700.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for ISO/IEC 27005: Information security, cybersecurity and privacy protection — Guidance on managing information security risks, Fourth edition are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
67 Mandated Controls - bold    
6 Implied Controls - italic     140 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
213 Total
  • Audits and risk management
    161
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]
    Testing Detective
    Establish, implement, and maintain a risk management program. CC ID 12051
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Business Processes Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]
    Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and Risk Management Preventive
    Include regular updating in the risk management system. CC ID 14990 Business Processes Preventive
    Establish, implement, and maintain a risk management policy. CC ID 17192 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include data quality in the risk management strategies. CC ID 15308 Data and Information Management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing threats. CC ID 12925
    [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]
    Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924
    [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]
    Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]
    Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Human Resources Management Detective
    Include the need for risk assessments in the risk assessment program. CC ID 06447
    [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1
    In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3
    In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7
    The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6
    The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3
    Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]
    Audits and Risk Management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786
    [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Establish/Maintain Documentation Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Communicate Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Communicate Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Acquisition/Sale of Assets or Services Corrective
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 Audits and Risk Management Preventive
    Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 Establish/Maintain Documentation Preventive
    Include metrics in the fundamental rights impact assessment. CC ID 17249 Establish/Maintain Documentation Preventive
    Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 Establish/Maintain Documentation Preventive
    Include user safeguards in the fundamental rights impact assessment. CC ID 17255 Establish/Maintain Documentation Preventive
    Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 Establish/Maintain Documentation Preventive
    Include the purpose in the fundamental rights impact assessment. CC ID 17243 Establish/Maintain Documentation Preventive
    Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 Establish/Maintain Documentation Preventive
    Include risk management measures in the fundamental rights impact assessment. CC ID 17224 Establish/Maintain Documentation Preventive
    Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 Establish/Maintain Documentation Preventive
    Include risks in the fundamental rights impact assessment. CC ID 17222 Establish/Maintain Documentation Preventive
    Include affected parties in the fundamental rights impact assessment. CC ID 17221 Establish/Maintain Documentation Preventive
    Include the frequency in the fundamental rights impact assessment. CC ID 17220 Establish/Maintain Documentation Preventive
    Include the usage duration in the fundamental rights impact assessment. CC ID 17219 Establish/Maintain Documentation Preventive
    Include system use in the fundamental rights impact assessment. CC ID 17218 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Process or Activity Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472
    [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3
    {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]
    Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4
    Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3
    Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]
    Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e)
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d)
    Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]
    Establish/Maintain Documentation Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]
    Audits and Risk Management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4
    The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2
    The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]
    Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136
    [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]
    Communicate Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Establish/Maintain Documentation Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695
    [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Establish/Maintain Documentation Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686
    [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3
    The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]
    Audits and Risk Management Preventive
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Communicate Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Establish/Maintain Documentation Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4
    In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]
    Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172
    [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]
    Process or Activity Detective
    Assess the potential level of business impact risk associated with individuals. CC ID 17170
    [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k)
    Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9
    When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a)
    When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]
    Process or Activity Detective
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c)
    Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e)
    When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g)
    {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d)
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]
    Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential level of business impact risk associated with non-compliance. CC ID 17169
    [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]
    Process or Activity Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g)
    When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the natural environment. CC ID 17171
    [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]
    Process or Activity Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8
    When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j)
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4
    It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3
    An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4
    {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h)
    The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h)
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5
    The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3
    Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]
    Establish/Maintain Documentation Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1
    Action: Risk treatment options should be chosen. § 8.2 ¶ 3]
    Establish/Maintain Documentation Preventive
    Approve the risk acceptance level, as necessary. CC ID 17168
    [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]
    Process or Activity Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]
    Establish/Maintain Documentation Detective
    Document the results of the gap analysis. CC ID 16271 Establish/Maintain Documentation Preventive
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2
    Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3
    The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2
    Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]
    Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601
    [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]
    Testing Detective
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f)
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    Action: Formulate risk treatment plan. § 8.6.1 ¶ 3
    Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2
    Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk treatment plan. CC ID 16991 Establish/Maintain Documentation Preventive
    Include time information in the risk treatment plan. CC ID 16993 Establish/Maintain Documentation Preventive
    Include allocation of resources in the risk treatment plan. CC ID 16989 Establish/Maintain Documentation Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Establish/Maintain Documentation Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159
    [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]
    Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]
    Establish/Maintain Documentation Corrective
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Communicate Preventive
    Approve the risk treatment plan. CC ID 13495
    [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3
    Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Audits and Risk Management Preventive
    Review and approve the risk assessment findings. CC ID 06485
    [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672
    [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]
    Business Processes Preventive
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Establish/Maintain Documentation Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Establish/Maintain Documentation Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Business Processes Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and Risk Management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and Risk Management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and Risk Management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Communicate Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Communicate Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Communicate Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Establish/Maintain Documentation Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Establish/Maintain Documentation Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Establish/Maintain Documentation Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Establish/Maintain Documentation Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Establish/Maintain Documentation Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
  • Human Resources management
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Establish Roles Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3
    Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]
    Human Resources Management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources Management Preventive
  • Leadership and high level objectives
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]
    Business Processes Preventive
    Establish and maintain an Authority Document list. CC ID 07113
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]
    Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]
    Establish/Maintain Documentation Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841
    [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]
    Process or Activity Preventive
  • Monitoring and measurement
    28
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b)
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d)
    Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]
    Establish/Maintain Documentation Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656
    [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain compliance program metrics. CC ID 11625
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Monitor and Evaluate Occurrences Preventive
  • Operational management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]
    Process or Activity Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]
    Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378
    [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5
    The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]
    Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042
    [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a)
    {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]
    Business Processes Preventive
  • Records management
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Retain records in accordance with applicable requirements. CC ID 00968
    [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Records Management Preventive
Common Controls and
mandates by Type
67 Mandated Controls - bold    
6 Implied Controls - italic     140 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
213 Total
  • Acquisition/Sale of Assets or Services
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Corrective
  • Audits and Risk Management
    26
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Preventive
    Analyze the risk management strategy for addressing threats. CC ID 12925
    [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]
    Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924
    [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]
    Audits and risk management Detective
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1
    In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3
    In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7
    The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6
    The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3
    Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]
    Audits and risk management Preventive
    Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 Audits and risk management Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]
    Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4
    The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2
    The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]
    Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686
    [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3
    The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]
    Audits and risk management Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]
    Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4
    In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]
    Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c)
    Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e)
    When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g)
    {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d)
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]
    Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]
    Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g)
    When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8
    When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j)
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2
    Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3
    The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2
    Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]
    Audits and risk management Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495
    [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3
    Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Detective
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Preventive
  • Behavior
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Audits and risk management Preventive
  • Business Processes
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]
    Leadership and high level objectives Preventive
    Approve the system security plan. CC ID 14241 Monitoring and measurement Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]
    Audits and risk management Preventive
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Preventive
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672
    [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]
    Audits and risk management Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]
    Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042
    [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a)
    {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]
    Operational management Preventive
  • Communicate
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136
    [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]
    Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Preventive
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Preventive
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Preventive
  • Data and Information Management
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Preventive
  • Establish Roles
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]
    Audits and risk management Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Preventive
  • Establish/Maintain Documentation
    124
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain an Authority Document list. CC ID 07113
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Leadership and high level objectives Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Corrective
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Preventive
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]
    Leadership and high level objectives Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b)
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d)
    Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]
    Monitoring and measurement Preventive
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Preventive
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Preventive
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Preventive
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Preventive
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Preventive
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Preventive
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Preventive
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Preventive
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Preventive
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Preventive
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Preventive
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656
    [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]
    Audits and risk management Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Preventive
    Establish, implement, and maintain a risk management policy. CC ID 17192 Audits and risk management Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]
    Audits and risk management Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]
    Audits and risk management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447
    [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]
    Audits and risk management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786
    [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]
    Audits and risk management Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Preventive
    Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 Audits and risk management Preventive
    Include metrics in the fundamental rights impact assessment. CC ID 17249 Audits and risk management Preventive
    Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 Audits and risk management Preventive
    Include user safeguards in the fundamental rights impact assessment. CC ID 17255 Audits and risk management Preventive
    Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 Audits and risk management Preventive
    Include the purpose in the fundamental rights impact assessment. CC ID 17243 Audits and risk management Preventive
    Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 Audits and risk management Preventive
    Include risk management measures in the fundamental rights impact assessment. CC ID 17224 Audits and risk management Preventive
    Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 Audits and risk management Preventive
    Include risks in the fundamental rights impact assessment. CC ID 17222 Audits and risk management Preventive
    Include affected parties in the fundamental rights impact assessment. CC ID 17221 Audits and risk management Preventive
    Include the frequency in the fundamental rights impact assessment. CC ID 17220 Audits and risk management Preventive
    Include the usage duration in the fundamental rights impact assessment. CC ID 17219 Audits and risk management Preventive
    Include system use in the fundamental rights impact assessment. CC ID 17218 Audits and risk management Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472
    [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3
    {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]
    Audits and risk management Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4
    Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]
    Audits and risk management Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]
    Audits and risk management Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3
    Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]
    Audits and risk management Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]
    Audits and risk management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e)
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d)
    Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]
    Audits and risk management Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]
    Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695
    [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Audits and risk management Preventive
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Preventive
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4
    It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3
    An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4
    {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h)
    The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h)
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5
    The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3
    Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]
    Audits and risk management Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1
    Action: Risk treatment options should be chosen. § 8.2 ¶ 3]
    Audits and risk management Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]
    Audits and risk management Detective
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f)
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    Action: Formulate risk treatment plan. § 8.6.1 ¶ 3
    Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2
    Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]
    Audits and risk management Preventive
    Include roles and responsibilities in the risk treatment plan. CC ID 16991 Audits and risk management Preventive
    Include time information in the risk treatment plan. CC ID 16993 Audits and risk management Preventive
    Include allocation of resources in the risk treatment plan. CC ID 16989 Audits and risk management Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159
    [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]
    Audits and risk management Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]
    Audits and risk management Corrective
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Preventive
    Review and approve the risk assessment findings. CC ID 06485
    [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Audits and risk management Preventive
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Corrective
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Preventive
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Preventive
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Preventive
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Preventive
    Include risk management in the information security program. CC ID 12378
    [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5
    The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]
    Operational management Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Preventive
  • Human Resources Management
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Detective
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3
    Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]
    Human Resources management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]
    Human Resources management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Preventive
  • IT Impact Zone
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
  • Investigate
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Detective
  • Monitor and Evaluate Occurrences
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Detective
    Establish, implement, and maintain compliance program metrics. CC ID 11625
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Monitoring and measurement Preventive
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Preventive
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Preventive
  • Process or Activity
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841
    [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]
    Leadership and high level objectives Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Corrective
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172
    [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with individuals. CC ID 17170
    [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k)
    Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9
    When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a)
    When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with non-compliance. CC ID 17169
    [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the natural environment. CC ID 17171
    [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]
    Audits and risk management Detective
    Approve the risk acceptance level, as necessary. CC ID 17168
    [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]
    Audits and risk management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Detective
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]
    Operational management Preventive
  • Records Management
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Retain records in accordance with applicable requirements. CC ID 00968
    [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Records management Preventive
  • Technical Security
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Preventive
  • Testing
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]
    Audits and risk management Detective
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]
    Audits and risk management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601
    [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]
    Audits and risk management Detective
Common Controls and
mandates by Classification
67 Mandated Controls - bold    
6 Implied Controls - italic     140 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
213 Total
  • Corrective
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Leadership and high level objectives Establish/Maintain Documentation
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Monitoring and measurement Process or Activity
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Audits and risk management Acquisition/Sale of Assets or Services
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1]
    Audits and risk management Establish/Maintain Documentation
    Document residual risk in a residual risk report. CC ID 13664 Audits and risk management Establish/Maintain Documentation
  • Detective
    27
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Monitor and evaluate environmental threats. CC ID 13481 Monitoring and measurement Monitor and Evaluate Occurrences
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [According to ISO/IEC 27001:2022, 6.1.2 b), the organization in the scope of the ISMS is required to ensure that repeated information security risk assessments produce consistent, valid and comparable results. It means the chosen method should ensure the following properties of results: § 6.5 ¶ 4]
    Audits and risk management Testing
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Audits and risk management Business Processes
    Analyze the risk management strategy for addressing threats. CC ID 12925
    [In general, to set risk criteria, the following should be considered: how combinations and sequences of multiple risks will be taken into account; § 6.4.1 ¶ 3 Bullet 6]
    Audits and risk management Audits and Risk Management
    Analyze the risk management strategy for addressing opportunities. CC ID 12924
    [Risk acceptance criteria should be established considering the following influencing factors: organizational opportunities; § 6.4.2 ¶ 5 Bullet 2]
    Audits and risk management Audits and Risk Management
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Audits and risk management Human Resources Management
    Review the risk profiles, as necessary. CC ID 16561 Audits and risk management Audits and Risk Management
    Update the risk assessment upon changes to the risk profile. CC ID 11627
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Audits and risk management Establish/Maintain Documentation
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Audits and Risk Management
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Audits and risk management Investigate
    Assess the potential level of business impact risk associated with the loss of personnel. CC ID 17172
    [When defining consequence criteria, the following should especially be considered: loss of staff and intellectual capital (skills and expertise); § 6.4.3.2 ¶ 2c)]
    Audits and risk management Process or Activity
    Assess the potential level of business impact risk associated with individuals. CC ID 17170
    [When defining consequence criteria, the following should especially be considered: adverse impact on interested parties; § 6.4.3.2 ¶ 2k)
    Risk acceptance criteria should be established considering the following influencing factors: human factors (e.g. related to privacy). § 6.4.2 ¶ 5 Bullet 9
    When defining consequence criteria, the following should especially be considered: loss of life or harm to individuals or groups; § 6.4.3.2 ¶ 2a)
    When defining consequence criteria, the following should especially be considered: loss of freedom, dignity or right to privacy; § 6.4.3.2 ¶ 2b)]
    Audits and risk management Process or Activity
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Risk acceptance criteria should be established considering the following influencing factors: processes; § 6.4.2 ¶ 5 Bullet 7
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the strategic value of the business processes that make use of the information; § 6.4.3.1 ¶ 4c)
    Risk acceptance criteria should be established considering the following influencing factors: operational activities; § 6.4.2 ¶ 5 Bullet 4
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    When defining consequence criteria, the following should especially be considered: effects to plans and deadlines; § 6.4.3.2 ¶ 2e)
    When defining consequence criteria, the following should especially be considered: loss of business advantage or market share; § 6.4.3.2 ¶ 2g)
    {business value} When defining consequence criteria, the following should especially be considered: loss of business and financial value; § 6.4.3.2 ¶ 2f)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the criticality of the information and assets related to information involved; § 6.4.3.1 ¶ 4d)
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the quantity, and any concentration of information; § 6.4.3.1 ¶ 4b)]
    Audits and risk management Audits and Risk Management
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Audits and risk management Investigate
    Assess the potential level of business impact risk associated with non-compliance. CC ID 17169
    [When defining consequence criteria, the following should especially be considered: breaches of legal, regulatory or statutory requirements; § 6.4.3.2 ¶ 2i)]
    Audits and risk management Process or Activity
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: operational and business importance of availability, confidentiality and integrity; § 6.4.3.1 ¶ 4e)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467
    [ISO/IEC 27001 is concerned with the consequences which are directly or indirectly affected by the preservation or loss of confidentiality, integrity and availability of information in the scope of the ISMS. Consequence criteria should be developed and specified in terms of the extent of damage or loss, or harm to an organization or individual resulting from the loss of confidentiality, integrity and availability of information. When defining consequence criteria, the following should especially be considered: § 6.4.3.2 ¶ 2]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: negative consequences such as loss of goodwill and reputation; § 6.4.3.1 ¶ 4g)
    When defining consequence criteria, the following should especially be considered: damage to public trust or reputation; § 6.4.3.2 ¶ 2h)]
    Audits and risk management Audits and Risk Management
    Assess the potential level of business impact risk associated with the natural environment. CC ID 17171
    [When defining consequence criteria, the following should especially be considered: negative impact on the environment, pollution. § 6.4.3.2 ¶ 2l)]
    Audits and risk management Process or Activity
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Risk acceptance criteria should be established considering the following influencing factors: supplier relationships; § 6.4.2 ¶ 5 Bullet 8
    When defining consequence criteria, the following should especially be considered: breaches of contracts or service levels; § 6.4.3.2 ¶ 2j)
    {internal operations} When defining consequence criteria, the following should especially be considered: impaired internal or third-party operations (e.g. damage to a business function or process); § 6.4.3.2 ¶ 2d)]
    Audits and risk management Audits and Risk Management
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [{requirements} Action: Compare all necessary controls with those listed in ISO/IEC 27001:2022, Annex A. § 8.4 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Determine the effectiveness of risk control measures. CC ID 06601
    [Risk treatment involves an iterative process of: assessing the effectiveness of that treatment; § 5.1 ¶ 6 Bullet 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: ensuring that the risk treatments are effective, efficient and economical in both design and operation; § 10.5.1 ¶ 2a)]
    Audits and risk management Testing
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and risk management Audits and Risk Management
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and risk management Audits and Risk Management
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Audits and risk management Process or Activity
  • IT Impact Zone
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
  • Preventive
    179
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: the expectations and perceptions of interested parties (e.g. top management); § 6.4.3.1 ¶ 4f)]
    Leadership and high level objectives Business Processes
    Establish and maintain an Authority Document list. CC ID 07113
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Leadership and high level objectives Establish/Maintain Documentation
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Leadership and high level objectives Establish/Maintain Documentation
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Leadership and high level objectives Establish/Maintain Documentation
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Leadership and high level objectives Establish/Maintain Documentation
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4]
    Leadership and high level objectives Establish/Maintain Documentation
    Include cost benefit analysis in the decision management strategy. CC ID 14014
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10]
    Leadership and high level objectives Establish/Maintain Documentation
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841
    [Risk acceptance criteria should be established considering the following influencing factors: organizational objectives; § 6.4.2 ¶ 5 Bullet 1]
    Leadership and high level objectives Process or Activity
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: § 10.5.1 ¶ 2
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: obtaining information to improve future risk assessments; § 10.5.1 ¶ 2b)
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: detecting changes in the internal and external context, including changes to risk criteria and the risks themselves, which can require revision of risk treatments and priorities; § 10.5.1 ¶ 2d)
    Action: Risks and their factors (i.e. value of assets, consequences, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. § 10.5.2 ¶ 3
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: identifying emerging risks. § 10.5.1 ¶ 2e)]
    Monitoring and measurement Establish/Maintain Documentation
    Include a system description in the system security plan. CC ID 16467 Monitoring and measurement Establish/Maintain Documentation
    Include a description of the operational context in the system security plan. CC ID 14301 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the security categorization in the system security plan. CC ID 14281 Monitoring and measurement Establish/Maintain Documentation
    Include the information types in the system security plan. CC ID 14696 Monitoring and measurement Establish/Maintain Documentation
    Include the security requirements in the system security plan. CC ID 14274 Monitoring and measurement Establish/Maintain Documentation
    Include cryptographic key management procedures in the system security plan. CC ID 17029 Monitoring and measurement Establish/Maintain Documentation
    Include threats in the system security plan. CC ID 14693 Monitoring and measurement Establish/Maintain Documentation
    Include network diagrams in the system security plan. CC ID 14273 Monitoring and measurement Establish/Maintain Documentation
    Include roles and responsibilities in the system security plan. CC ID 14682 Monitoring and measurement Establish/Maintain Documentation
    Include backup and recovery procedures in the system security plan. CC ID 17043 Monitoring and measurement Establish/Maintain Documentation
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Monitoring and measurement Establish/Maintain Documentation
    Include remote access methods in the system security plan. CC ID 16441 Monitoring and measurement Establish/Maintain Documentation
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Monitoring and measurement Communicate
    Include a description of the operational environment in the system security plan. CC ID 14272 Monitoring and measurement Establish/Maintain Documentation
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Monitoring and measurement Establish/Maintain Documentation
    Include the authorization boundary in the system security plan. CC ID 14257 Monitoring and measurement Establish/Maintain Documentation
    Align the enterprise architecture with the system security plan. CC ID 14255 Monitoring and measurement Process or Activity
    Include security controls in the system security plan. CC ID 14239 Monitoring and measurement Establish/Maintain Documentation
    Include the roles and responsibilities in the test plan. CC ID 14299 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment team in the test plan. CC ID 14297 Monitoring and measurement Establish/Maintain Documentation
    Include the scope in the test plans. CC ID 14293 Monitoring and measurement Establish/Maintain Documentation
    Include the assessment environment in the test plan. CC ID 14271 Monitoring and measurement Establish/Maintain Documentation
    Approve the system security plan. CC ID 14241 Monitoring and measurement Business Processes
    Establish, implement, and maintain risk management metrics. CC ID 01656
    [{be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8
    The organization's monitoring process (see ISO/IEC 27001:2022, 9.1) should encompass all aspects of the risk assessment and risk treatment processes for the purposes of: analysing and learning lessons from incidents (including near misses), changes, trends, successes and failures; § 10.5.1 ¶ 2c)]
    Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain compliance program metrics. CC ID 11625
    [{risk management} The basic requirements of relevant interested parties should be identified, as well as the status of compliance with these requirements. This includes identifying all the reference documents that define security rules and controls and that apply within the scope of the information security risk assessment. § 6.2 ¶ 2]
    Monitoring and measurement Monitor and Evaluate Occurrences
    Establish, implement, and maintain a risk management program. CC ID 12051
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    Action: The information security risk management process should be continually monitored, reviewed and improved as necessary. § 10.8 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Include the scope of risk management activities in the risk management program. CC ID 13658 Audits and risk management Establish/Maintain Documentation
    Integrate the risk management program with the organization's business activities. CC ID 13661 Audits and risk management Business Processes
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3]
    Audits and risk management Business Processes
    Include managing mobile risks in the risk management program. CC ID 13535 Audits and risk management Establish/Maintain Documentation
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and risk management Audits and Risk Management
    Include regular updating in the risk management system. CC ID 14990 Audits and risk management Business Processes
    Establish, implement, and maintain a risk management policy. CC ID 17192 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [{risk management strategic cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: strategic cycle, where business assets, risk sources and threats, target objectives or consequences to information security events are evolving from changes in the overall context of the organization. This can result as inputs for an overall update of the risk assessment or risk assessments and the risk treatments. It can also serve as an input for identifying new risks and initiate completely new risk assessments; § 5.2 ¶ 1 Bullet 1
    {risk management strategic cycle} {risk management operational cycle} The strategic cycle should be conducted at longer time basis or when major changes occur while the operational cycle should be shorter depending on the detailed risks that are identified and assessed as well as the related risk treatment. § 5.2 ¶ 2
    {risk management approach} The chosen approach should be documented. § 6.5 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Audits and risk management Establish/Maintain Documentation
    Include data quality in the risk management strategies. CC ID 15308 Audits and risk management Data and Information Management
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Audits and risk management Establish/Maintain Documentation
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456
    [An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)]
    Audits and risk management Establish Roles
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: § 5.2 ¶ 1
    The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2]
    Audits and risk management Establish/Maintain Documentation
    Include the need for risk assessments in the risk assessment program. CC ID 06447
    [The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Establish and maintain the factors and context for risk to the organization. CC ID 12230
    [In general, to set risk criteria, the following should be considered: the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); § 6.4.1 ¶ 3 Bullet 1
    In general, to set risk criteria, the following should be considered: time-related factors; § 6.4.1 ¶ 3 Bullet 3
    In general, to set risk criteria, the following should be considered: the organization's capacity. § 6.4.1 ¶ 3 Bullet 7
    The list of influencing factors is not exhaustive. The organization should consider the influencing factors based on the context. § 6.4.2 ¶ 6
    The context of the risk assessment should be determined including a description of scope and purpose as well as internal and external issues that affect the risk assessment. § 7.1 ¶ 3
    Action: All relevant data should be considered to identify and describe internal and external issues influencing information security risk management and requirements of interested parties. § 10.1 ¶ 3]
    Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786
    [Risk acceptance criteria should be established considering the following influencing factors: financial constraints; § 6.4.2 ¶ 5 Bullet 6]
    Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain insurance requirements. CC ID 16562 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Audits and risk management Communicate
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Audits and risk management Communicate
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 Audits and risk management Audits and Risk Management
    Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 Audits and risk management Establish/Maintain Documentation
    Include metrics in the fundamental rights impact assessment. CC ID 17249 Audits and risk management Establish/Maintain Documentation
    Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 Audits and risk management Establish/Maintain Documentation
    Include user safeguards in the fundamental rights impact assessment. CC ID 17255 Audits and risk management Establish/Maintain Documentation
    Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the fundamental rights impact assessment. CC ID 17243 Audits and risk management Establish/Maintain Documentation
    Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 Audits and risk management Establish/Maintain Documentation
    Include risk management measures in the fundamental rights impact assessment. CC ID 17224 Audits and risk management Establish/Maintain Documentation
    Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 Audits and risk management Establish/Maintain Documentation
    Include risks in the fundamental rights impact assessment. CC ID 17222 Audits and risk management Establish/Maintain Documentation
    Include affected parties in the fundamental rights impact assessment. CC ID 17221 Audits and risk management Establish/Maintain Documentation
    Include the frequency in the fundamental rights impact assessment. CC ID 17220 Audits and risk management Establish/Maintain Documentation
    Include the usage duration in the fundamental rights impact assessment. CC ID 17219 Audits and risk management Establish/Maintain Documentation
    Include system use in the fundamental rights impact assessment. CC ID 17218 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Audits and risk management Process or Activity
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Audits and risk management Communicate
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the risk assessment policy. CC ID 14121 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the risk assessment policy. CC ID 14119 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Audits and risk management Establish/Maintain Documentation
    Include the scope in the risk assessment policy. CC ID 14117 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the risk assessment policy. CC ID 14116 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Audits and risk management Communicate
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472
    [{legal aspects} Risk acceptance criteria should be established considering the following influencing factors: legal and regulatory aspects; § 6.4.2 ¶ 5 Bullet 3
    {legal requirements} The organization should develop a risk ranking, taking into account the following: legal and regulatory requirements, and contractual obligations; § 6.4.3.4 ¶ 3c)]
    Audits and risk management Establish/Maintain Documentation
    Analyze the organization's information security environment. CC ID 13122 Audits and risk management Technical Security
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473
    [Any non-compliance with the basic requirements should be explained and justified. These basic requirements and their compliance should be the input for the likelihood assessment and for the risk treatment. § 6.2 ¶ 4
    Risk assessment criteria, or a formal basis for defining them, should be standardized across the organization for all types of risk assessment, as this can facilitate the communication, comparison and aggregation of risks associated with multiple business domains. § 6.4.3.1 ¶ 5
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7
    {information security risk management method} It means the chosen method should ensure the following properties of results: comparability: risk assessment criteria should be defined to ensure that assessments performed for different risks produce comparable results when representing equivalent levels of risk; § 6.5 ¶ 4 Bullet 2
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    The risk assessment process should be based on methods (see 6.5) and tools designed in sufficient detail to ensure, as far as is possible, consistent, valid and reproducible results. Furthermore, the outcome should be comparable, e.g. to determine whether the level of risk increased or decreased. § 7.1 ¶ 5
    {information security risk management method} It means the chosen method should ensure the following properties of results: consistency: assessments of the same risks performed by different persons, or by the same persons on different occasions, in the same context, should produce similar results; § 6.5 ¶ 4 Bullet 1]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account information classification. CC ID 06477
    [{determine} {appropriateness} {risk management activities} Considerations for achieving this include: the classification level of information; § 6.4.3.1 ¶ 4a)]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474
    [The risk assessment should help the organization make decisions about the management of the risks that affect the achievement of its objectives. This should therefore be targeted at those risks and controls that, if managed successfully, will improve the likelihood of the organization achieving its objectives. § 6.3 ¶ 3
    Risk analysis should be targeted at those risks and controls that, if managed successfully, improve the likelihood of the organization achieving its objectives. It is easy to spend significant time on a risk assessment, notably the assessment of likelihoods and consequences. To enable efficient decisionmaking on the management of risks, it can be sufficient to use initial, and rough estimates of likelihood and consequence. § 7.3.1 ¶ 4]
    Audits and risk management Establish/Maintain Documentation
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Audits and risk management Human Resources Management
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [{information security risk management method} It means the chosen method should ensure the following properties of results: validity: assessments should produce the results that accord as closely as possible with reality. § 6.5 ¶ 4 Bullet 3]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [An organization should define levels of risk acceptance. The following should be considered during development: different risk acceptance criteria can apply to different classes of risk (e.g. risks that can result in non-compliance with regulations or laws are not always retained, while acceptance of risks can be allowed if the acceptance is a result of a contractual requirement); § 6.4.2 ¶ 4e)
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    {external risk} The organization should develop a risk ranking, taking into account the following: risks that appear beyond the boundaries of the organization's scope, including unforeseen effects on third parties. § 6.4.3.4 ¶ 3d)
    Action: Level of risks should be compared against risk evaluation criteria, particularly risk acceptance criteria. § 7.4.1 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484
    [Information security risk assessment criteria should take into account the appropriateness of risk management activities. § 6.4.3.1 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698
    [Action: Risks associated with the loss of confidentiality, integrity and availability of information should be identified. § 7.2.1 ¶ 3]
    Audits and risk management Audits and Risk Management
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173
    [In general, to set risk criteria, the following should be considered: how consequence and likelihood will be defined, predicted and measured; § 6.4.1 ¶ 3 Bullet 2
    Consequently, risk acceptance criteria should ideally include consideration of likelihood and consequence independently, as well as costs of management, rather than merely level of risk as a combination of likelihood and consequence. § 6.4.2 ¶ 10
    Likelihood criteria should cover the predictably manageable range of anticipated event likelihoods. Beyond the limits of practicable manageability, it is typically only necessary to recognize that one or another limit has been exceeded in order to make an adequate risk management decision (designation as an extreme case). If finite scales are too wide, this typically results in excessively coarse quantization and can lead to error in assessment. This is particularly the case where likelihoods fall into the high end of exponentially represented scales, as the increments in the upper ranges are intrinsically very wide. § 6.4.3.3 ¶ 4
    The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    ISO 31000 is referenced in ISO/IEC 27001 as a general model. ISO/IEC 27001:2022, 6.1.2, requires that for each identified risk, the risk analysis is based on assessing the consequences resulting from the risk and assessing the likelihood of the risk to determine a level of risk. § 7.3.1 ¶ 2
    The likelihood of occurrence of possible or actual scenarios should be assessed and expressed using established likelihood criteria. § 7.3.3 ¶ 3]
    Audits and risk management Audits and Risk Management
    Approve the threat and risk classification scheme. CC ID 15693 Audits and risk management Business Processes
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136
    [Whether quantitative or qualitative criteria are used, evaluation scales should ultimately be anchored to a reference scale that is understood by all interested parties, and both risk analysis and risk evaluation should include at least periodic formal calibration against the reference scale to ensure validity, consistency and comparability of results. § 6.4.3.4 ¶ 7]
    Audits and risk management Communicate
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [If the risk assessment provides sufficient information to effectively determine the actions required to modify the risks to an acceptable level, then the task is complete and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment should be performed. This can involve a change of context of the risk assessment (e.g. revised scope), involvement of expertise in the relevant field, or other ways to collect the information required to enable risk modification to an acceptable level (see "risk decision point 1" in Figure 1). § 5.1 ¶ 5
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    Organizations can perform risk assessments embedded within many different processes, such as project management, vulnerability management, incident management, problem management, or even on an impromptu basis for a given identified specific topic. Regardless of how risk assessments are performed, they should collectively cover all the issues relevant to the organization within the scope of an ISMS. § 6.3 ¶ 2
    {requirement} Action: The risk assessment process should be performed in accordance with Clause 7. § 9.1 ¶ 3]
    Audits and risk management Testing
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Establish/Maintain Documentation
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Establish/Maintain Documentation
    Create a risk assessment report based on the risk assessment results. CC ID 15695
    [{risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Audits and risk management Establish/Maintain Documentation
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Communicate
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Audits and risk management Behavior
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686
    [The organization should develop a risk ranking, taking into account the following: the consequence criteria and likelihood criteria; § 6.4.3.4 ¶ 3a)
    The consequences resulting from the failure to adequately preserve confidentiality, integrity or availability of information should be identified and assessed. § 7.3.2 ¶ 3
    The organization should develop a risk ranking, taking into account the following: the consequences that information security events can have on strategic, tactical and operational levels (this can be defined as worst case or in other terms provided the same basis is used consistently); § 6.4.3.4 ¶ 3b)]
    Audits and risk management Audits and Risk Management
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Audits and risk management Establish/Maintain Documentation
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Audits and risk management Establish/Maintain Documentation
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Audits and risk management Establish/Maintain Documentation
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Audits and risk management Establish/Maintain Documentation
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Audits and risk management Communicate
    Establish, implement, and maintain a risk register. CC ID 14828 Audits and risk management Establish/Maintain Documentation
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [The organization should use the organizational risk assessment process (if established) to assess risks to information or to define an information security risk assessment process. § 7.1 ¶ 1]
    Audits and risk management Audits and Risk Management
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [In general, to set risk criteria, the following should be considered: consistency in the use of measurements; § 6.4.1 ¶ 3 Bullet 4
    In general, to set risk criteria, the following should be considered: how the level of risk will be determined; § 6.4.1 ¶ 3 Bullet 5
    Consequence criteria define how an organization categorizes the significance of potential information security events to the organization. It is essential to determine how many categories of consequences are used, how they are defined, and what consequences are associated with each category. Usually, consequence criteria are different for different organizations depending on the organization's internal and external context. § 6.4.3.2 ¶ 3
    {be equivalent} If a qualitative approach is used, the levels of any qualitative scale should be unambiguous, its increments should be clearly defined, the qualitative descriptions for each level should be expressed in objective language and the levels should not overlap. When different scales are used (e.g. to address risks in different business domains), there should be an equivalency to allow comparable results. § 6.4.3.4 ¶ 8]
    Audits and risk management Audits and Risk Management
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [Risk treatment involves an iterative process of: deciding whether the remaining risk is acceptable; § 5.1 ¶ 6 Bullet 4
    It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3
    An organization should define levels of risk acceptance. The following should be considered during development: § 6.4.2 ¶ 4
    {is unacceptable} In risk evaluation, risk acceptance criteria should be used to determine whether a risk is acceptable or not. § 6.4.2 ¶ 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include multiple thresholds, and authority for acceptance can be assigned to different levels of management; § 6.4.2 ¶ 4c)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be based on likelihood and consequence alone, or can be extended to also consider the cost/benefit balance between prospective losses and the cost of controls; § 6.4.2 ¶ 4d)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria should be defined based upon the risk appetite that indicates amount and type of risk that the organization is willing to pursue or retain; § 6.4.2 ¶ 4g)
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can be absolute or conditional depending on the context. § 6.4.2 ¶ 4h)
    The risk criteria should be kept under review and updated as necessary as a result of any changes in the context of information security risk management. § 6.4.2 ¶ 13
    {determine} {appropriateness} {risk management activities} Considerations for achieving this include: consistency with the organizational risk criteria. § 6.4.3.1 ¶ 4h)
    Depending on the situation, it is recommended to consider the inherent level of risk (without considering any controls), or the current level of risk (allowing for the effectiveness of any controls already implemented). The organization should develop a risk ranking, taking into account the following: § 6.4.3.4 ¶ 3
    Risk acceptance criteria should be established considering the following influencing factors: § 6.4.2 ¶ 5
    The level of risk should be determined as a combination of the assessed likelihood and the assessed consequences for all relevant risk scenarios. § 7.3.4 ¶ 3
    Action: Determine whether the residual risks are acceptable. § 8.6.3 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483
    [Risk treatment involves an iterative process of: formulating and selecting risk treatment options; § 5.1 ¶ 6 Bullet 1
    Action: Risk treatment options should be chosen. § 8.2 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Approve the risk acceptance level, as necessary. CC ID 17168
    [The risk acceptance criteria should be approved by the authorized management level. § 6.4.2 ¶ 15]
    Audits and risk management Process or Activity
    Document the results of the gap analysis. CC ID 16271 Audits and risk management Establish/Maintain Documentation
    Prioritize and select controls based on the risk assessment findings. CC ID 00707
    [The purpose of scales for level of risk is to help risk owners to decide about retaining or otherwise treating risks and to prioritize them for risk treatment. The assessed level of a particular risk should help the organization to determine the urgency for addressing that risk. § 6.4.3.4 ¶ 2
    Action: The risks on the list should be prioritized for risk treatment, considering assessed levels of risks. § 7.4.2 ¶ 3
    The output of this process is a set of necessary information security controls [see ISO/IEC 27001:2022, 6.1.3 b)] that are to be deployed or enhanced in relation to one another, in accordance with the risk treatment plan [see ISO/IEC 27001:2022, 6.1.3 e)]. Deployed in this way, the effectiveness of the risk treatment plan is to modify the information security risk facing the organization so that it meets the organization's criteria for acceptance. § 8.1 ¶ 2
    Action: Determine all controls, from the chosen control sets as selected from an appropriate source, that are necessary for treating the risks based on the risk treatment options chosen, such as to modify, retain, avoid or share the risks. § 8.3 ¶ 3]
    Audits and risk management Audits and Risk Management
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [Risk treatment involves an iterative process of: planning and implementing risk treatment; § 5.1 ¶ 6 Bullet 2
    An organization should define levels of risk acceptance. The following should be considered during development: risk acceptance criteria can include requirements for future additional treatment (e.g. a risk can be retained on a short-term basis even when the level of risk exceeds the risk acceptance criteria if there is approval and commitment to take action to implement a chosen set of controls to reach an acceptable level within a defined time period); § 6.4.2 ¶ 4f)
    {risk management operational cycle} The risk assessment and the risk treatment should be updated on a regular basis and based on changes. This should apply to, the entire risk assessment and the updates can be divided into two risk management cycles: operational cycle, where the above-mentioned elements serves as input information or changed criteria that will affect a risk assessment or assessment where the scenarios should be reviewed and updated. The review should include updating of the corresponding risk treatment as applicable. § 5.2 ¶ 1 Bullet 2
    Action: Formulate risk treatment plan. § 8.6.1 ¶ 3
    Action: The risk treatment process should be performed in accordance with Clause 8. § 9.2 ¶ 3
    {risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2
    Action: Revise the risk treatment plan and implement it to modify the residual risk to an acceptable level. § 10.7 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the risk treatment plan. CC ID 16991 Audits and risk management Establish/Maintain Documentation
    Include time information in the risk treatment plan. CC ID 16993 Audits and risk management Establish/Maintain Documentation
    Include allocation of resources in the risk treatment plan. CC ID 16989 Audits and risk management Establish/Maintain Documentation
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Audits and risk management Establish/Maintain Documentation
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and risk management Audits and Risk Management
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159
    [{be unacceptable} Risk treatment involves an iterative process of: taking further treatment if not acceptable. § 5.1 ¶ 6 Bullet 5]
    Audits and risk management Establish/Maintain Documentation
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Audits and risk management Establish/Maintain Documentation
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694
    [Action: Information on risks, their causes, consequences, their likelihood and the controls being taken to treat them should be communicated to, or obtained from, the external and internal interested parties. § 10.3 ¶ 4]
    Audits and risk management Communicate
    Approve the risk treatment plan. CC ID 13495
    [{approve} Action: Approval of risk treatment plan(s) by risk owners. § 8.6.2 ¶ 3
    Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Audits and risk management Audits and Risk Management
    Review and approve the risk assessment findings. CC ID 06485
    [Action: The results of information security risk assessment and status of the information security risk treatment plan should be reviewed to confirm that residual risks meet risk acceptance criteria, and that the risk treatment plan addresses all relevant risks and their risk treatment options. § 10.6 ¶ 3]
    Audits and risk management Establish/Maintain Documentation
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672
    [It is important to understand that risk appetite, defined as the amount of risk an organization is willing to pursue or accept, can vary considerably from organization to organization. For instance, factors affecting an organization's risk appetite include size, complexity and sector. Risk appetite should be set and regularly reviewed by top management. § 6.1 ¶ 3]
    Audits and risk management Business Processes
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Audits and risk management Establish/Maintain Documentation
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Audits and risk management Establish/Maintain Documentation
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 Audits and risk management Audits and Risk Management
    Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 Audits and risk management Communicate
    Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 Audits and risk management Communicate
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Audits and risk management Establish/Maintain Documentation
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 Audits and risk management Communicate
    Acquire cyber insurance, as necessary. CC ID 12693 Audits and risk management Business Processes
    Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 Audits and risk management Establish/Maintain Documentation
    Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 Audits and risk management Monitor and Evaluate Occurrences
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Audits and risk management Establish/Maintain Documentation
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Audits and risk management Establish/Maintain Documentation
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Audits and risk management Establish/Maintain Documentation
    Include management commitment in the supply chain risk management policy. CC ID 14709 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Audits and risk management Establish/Maintain Documentation
    Include the scope in the supply chain risk management policy. CC ID 14707 Audits and risk management Establish/Maintain Documentation
    Include the purpose in the supply chain risk management policy. CC ID 14706 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Audits and risk management Communicate
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Audits and risk management Establish/Maintain Documentation
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Audits and risk management Establish/Maintain Documentation
    Include dates in the supply chain risk management plan. CC ID 15617 Audits and risk management Establish/Maintain Documentation
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Audits and risk management Establish/Maintain Documentation
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Audits and risk management Establish/Maintain Documentation
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Audits and risk management Communicate
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Audits and risk management Human Resources Management
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Audits and risk management Communicate
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 Human Resources management Establish Roles
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    Action: Appropriate level of management should consider results related to information security risks, to decide on or endorse further actions. § 10.2 ¶ 3
    Action: Risks should be associated to risk owners. § 7.2.2 ¶ 3]
    Human Resources management Human Resources Management
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The organization should ensure that the role of the risk owner is determined in terms of the management activities regarding the identified risks. Risk owners should have appropriate accountability and authority for managing identified risks. § 6.1 ¶ 4
    An organization should define levels of risk acceptance. The following should be considered during development: the level of management with delegated authority to make risk acceptance decisions is identified; § 6.4.2 ¶ 4b)]
    Human Resources management Human Resources Management
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665 Human Resources management Human Resources Management
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [Risk acceptance criteria should be established considering the following influencing factors: technological constraints; § 6.4.2 ¶ 5 Bullet 5]
    Operational management Process or Activity
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415
    [Action: Produce a Statement of Applicability. § 8.5 ¶ 3]
    Operational management Business Processes
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Establish/Maintain Documentation
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Establish/Maintain Documentation
    Include risk management in the information security program. CC ID 12378
    [Although almost anything is "possible", the risk sources that should be given primary attention are those with likelihoods most relevant to the organization's context and the scope of its ISMS. § 6.4.3.3 ¶ 5
    The organization should ensure that its information security risk management approach aligns with the organizational risk management approach, so that any information security risks can be compared with other organizational risks and not only considered in isolation. § 7.1 ¶ 6]
    Operational management Establish/Maintain Documentation
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042
    [An organization should define levels of risk acceptance. The following should be considered during development: consistency between the information security risk acceptance criteria and the organization's general risk acceptance criteria; § 6.4.2 ¶ 4a)
    {risk management methods} In general, the information security risk management approach and methods should be aligned with the approach and methods used to manage the other risks of the organization. § 6.5 ¶ 2]
    Operational management Business Processes
    Retain records in accordance with applicable requirements. CC ID 00968
    [{risk treatment process} Action: Information about the information security risk assessment and treatment processes should be documented and retained. § 10.4.2 ¶ 2
    {risk treatment} Action: Information about the information security risk assessment and treatment results should be documented and retained. § 10.4.3 ¶ 2]
    Records management Records Management