Identification and documentation of cyber security risks
Critical
High
Normal
Low
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Description of the risk
Evaluated impact and likelihood of the risk
Tasks for managing the risk or other treatment options
Acceptability of the risk
See an example process description from task's page
Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data