Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
5.1.1: Policies for information security
ISO 27001
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Risk level accepted by the organization

Critical
High
Normal
Low

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

Connected other frameworks and requirements:
ID.RM-2: Risk tolerance
NIST CSF
ID.RM-3: Informing of risk tolerance
NIST CSF
6.1: Information security risk management
ISO 27001
3.1 (MIL1): Establish and Maintain Cyber Risk Management Strategy and Program
C2M2
No items found.