The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.
Organization assesses cyber security risks by responding to situations where security has been mildly or severely compromised. The documentation shall include at least the following:
After risk treatment, the organization assesses the remaining level of residual risk per risk.
Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.