The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.