Content library
DORA simplified RMF
Article 31: ICT risk management

Requirement description

1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall include in their simplified ICT risk management framework all of the following:

(a) a determination of the risk tolerance levels for ICT risk, in accordance with the risk appetite of the financial entity;

(b) the identification and assessment of the ICT risks to which the financial entity is exposed;

(c) the specification of mitigation strategies at least for the ICT risks that are not within the risk tolerance levels of the financial entity;

(d) the monitoring of the effectiveness of the mitigation strategies referred to in point (c);

(e) the identification and assessment of any ICT and information security risks resulting from any major change in ICT system or ICT services, processes, or procedures, and from ICT security testing results and after any major ICT-related incident.

2. The financial entities referred to in paragraph 1 shall carry out and document the ICT risk assessment periodically commensurate to the financial entities’ ICT risk profile.

3. The financial entities referred to in paragraph 1 shall continuously monitor threats and vulnerabilities that are relevant to their critical or important functions, and information assets and ICT assets, and shall regularly review the risk scenarios impacting those critical or important functions.

4. The financial entities referred to in paragraph 1 shall set out alert thresholds and criteria to trigger and initiate ICT-related incident response processes.

How to fill the requirement

DORA simplified RMF

Article 31: ICT risk management

Task name
Priority
Status
Theme
Policy
Other requirements
Identification and documentation of cyber security risks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
43
requirements

Examples of other requirements this task affects

Članak 30.1.a: Politike analize rizika i sigurnosti informacijskih sustava
NIS2 Croatia
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
7 §: Riskienhallinta
Kyberturvallisuuslaki
1.4.1: Management of Information Security Risks
TISAX
13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
TiHL
See all related requirements and other information from tasks own page.
Go to >
Identification and documentation of cyber security risks
1. Task description

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Risk management procedure -report publishing and maintenance
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
44
requirements

Examples of other requirements this task affects

Članak 30.1.a: Politike analize rizika i sigurnosti informacijskih sustava
NIS2 Croatia
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
8 §: Kyberturvallisuutta koskeva riskienhallinnan toimintamalli
Kyberturvallisuuslaki
1.4.1: Management of Information Security Risks
TISAX
30 § 1°: Gestion des risques et maîtrise des incidents
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Risk management procedure -report publishing and maintenance
1. Task description

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities
  • The results should be included into the organization risk management process

The task owner regularly checks that the procedure is clear and produces consistent results.

Treatment process and documentation of occurred security incidents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Incident management
Incident management and response
49
requirements

Examples of other requirements this task affects

Članak 30.1.b: Postupanje s incidentima, uključujući njihovo praćenje, evidentiranje i prijavljivanje
NIS2 Croatia
9.9b §: Poikkeamien käsittely
Kyberturvallisuuslaki
1.6.2: Management of reported events
TISAX
30 § 3.2° (incidents): La gestion des incidents
NIS2 Belgium
4.4.2: Review identified compromised security measures
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Treatment process and documentation of occurred security incidents
1. Task description

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

  • the reported incident is confirmed (or found unnecessary to record)
  • the type and cause of incident is documented
  • the risks associated with the incident are documented
  • the risks are re-evaluated and treated if that is necessary after the incident
  • risk mitigation measures or a decision their acceptance is documented
  • people who need to be informed of the results of the incident treatment are identified (including external ones)
  • possible need for a post-incident analysis is determined
Process for managing technical vulnerabilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
38
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
14.2.1: Secure development policy
ISO 27001
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
See all related requirements and other information from tasks own page.
Go to >
Process for managing technical vulnerabilities
1. Task description

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

  • risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
  • necessary actions are scheduled
  • all actions taken are documented
The goals of threat intelligence and the collection of information related to information security threats
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
10
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
77: Menettely toimintaympäristön seuraamiseen
Digiturvan kokonaiskuvapalvelu
Article 13: Learning and evolving
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL tietoturvavaatimukset
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
The goals of threat intelligence and the collection of information related to information security threats
1. Task description

Organization carries out threat intelligence by gathering information about information security threats related to its operations and how to protect against them. The goal is to increase awareness of the threat environment, so that own security level can be better evaluated and adequate control measures implemented.

When collecting threat intelligence, all three levels must be taken into account:

  • strategic threat intelligence (e.g. information on the growing types of attackers and attacks)
  • tactical threat intelligence (e.g. information about tools and technologies used in attacks)
  • operational threat intelligence (e.g. details of specific attacks)

Principles related to threat intelligence should include:

  • setting targets for threat intelligence
  • identification, verification and selection of information sources used in threat intelligence
  • gathering threat intelligence
  • data processing for analysis (e.g. translation, formatting, compression)
Creating and maintaining incident response plans
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Incident management
Incident management and response
7
requirements

Examples of other requirements this task affects

4.1.1: Establish plans for incident management
NSM ICT-SP
ID.IM-04: Incident response and cybersecurity plans
NIST 2.0
PR.IR-03: Meeting resilience requirements
NIST 2.0
RC.RP-01: Recovery plan
NIST 2.0
RS.MA-01: Incident response plan execution
NIST 2.0
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining incident response plans
1. Task description

The organization should create and maintain incident response plans. The response plans should include at least:

  • Incident or the type of incident for which the plan has been made
  • Goal for plan
  • Responsible persons and related stakeholders and contact information
  • Planned immediate actions
  • Planned next steps
Defining security events and incidents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Incident management
Incident management and response
4
requirements

Examples of other requirements this task affects

1.6.1: Reporting of security events
TISAX
DE.AE-08: Incidents declaration criteria
NIST 2.0
17.9: Establish and Maintain Security Incident Thresholds
CIS 18
Article 31: ICT risk management
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Defining security events and incidents
1. Task description

Organisation must develop a clear, comprehensive definition of what constitutes a reportable security event or observation, ensuring it covers the following categories:

  • Personnel misconduct or misbehavior.
  • Intrusion, theft, unauthorized access to security zones, and vulnerabilities in security zones.
  • Cybersecurity incidents such as vulnerabilities in IT systems, and detected successful or unsuccessful cyber-attacks.
  • Supplier and partner incidents that could negatively impact the security of the organization.

Organisation must have a defined procedure for reporting of incidents and it should be communicated to the personnel:

  • Design and implement effective reporting mechanisms tailored to perceived risks.
  • Ensure these mechanisms are well communicated and accessible to all employees, stakeholders, and relevant parties to facilitate timely and accurate reporting of security events.
  • Conduct training sessions and awareness programs to ensure that all relevant employees and stakeholders understand the definition of reportable security events and are familiar with the reporting mechanisms.
Enabling asset-based risk management in the ISMS
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
5
requirements

Examples of other requirements this task affects

Article 8: Identification
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
5.2.2: Seperation of testing and development environments
TISAX
1.1.3: Identify the organisation’s processes for ICT risk management
NSM ICT-SP
Article 31: ICT risk management
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Enabling asset-based risk management in the ISMS
1. Task description

The organization must enable asset based risk management from the ISMS settings.

Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:

  • System providers
  • Data systems
  • Data stores
  • Other stakeholders
  • Other assets
Change management procedure for significant changes to data processing services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
29
requirements

Examples of other requirements this task affects

Članak 30.1.e: Sigurnost u nabavi, razvoju i održavanju mrežnih i informacijskih sustava
NIS2 Croatia
9.3 §: Tietojärjestelmien hankinta ja kehittäminen
Kyberturvallisuuslaki
5.2.1: Change management
TISAX
5.3.1: Information Security in new systems
TISAX
30 § 3.5°: L'acquisition, du développement et de la maintenance des réseaux et des systèmes d'information
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Change management procedure for significant changes to data processing services
1. Task description

Inadequate change management is a common cause of incidents for digital services.

An organization shall document the change management process that must be followed whenever significant changes are made to developed digital services or other computing services that affect cyber security. The process includes requirements e.g. for the following:

  • Defining and documenting the change
  • Assessing the risks and defining the necessary control measures
  • Other impact assessment of the change
  • Testing and quality assurance
  • Managed implementation of the change
  • Updating a change log
Assessment of the impact and likelihood of the risks and the scales used
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
9
requirements

Examples of other requirements this task affects

ID.RA-4: Impacts on business
NIST
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
1.4.1: Management of Information Security Risks
TISAX
ID.RA-04: Impacts and likelihoods of threats
NIST 2.0
See all related requirements and other information from tasks own page.
Go to >
Assessment of the impact and likelihood of the risks and the scales used
1. Task description

As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.

The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.

Risk level accepted by the organization
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
20
requirements

Examples of other requirements this task affects

Članak 30.1.a: Politike analize rizika i sigurnosti informacijskih sustava
NIS2 Croatia
8 §: Kyberturvallisuutta koskeva riskienhallinnan toimintamalli
Kyberturvallisuuslaki
30 § 3.1°: L'analyse des risques et à la sécurité des systèmes d'information
NIS2 Belgium
1.1.4: Identify the organisation’s tolerances for ICT risk
NSM ICT-SP
1.1.2: Identify the organisation’s structures and processes for security management
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Risk level accepted by the organization
1. Task description

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

Evaluation of the information security measures defined in the risk management phase
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
5
requirements

Examples of other requirements this task affects

HAL-06: Riskienhallinta
Julkri
RISK-4: Respond to Cyber Risk
C2M2
CC5.1: Control activities for mitigation of risks
SOC 2
1.4.1: Management of Information Security Risks
TISAX
Article 31: ICT risk management
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Evaluation of the information security measures defined in the risk management phase
1. Task description

When implementing information security risk management, the organisation must identify the risks that require treatment and define treatment plans for them, which often consist of new information security measures.

The organisation has defined how regularly the treatment plans defined as a whole are evaluated and their proportionality to the risk assessment (risk severity and probability).

Monitoring the status of risk management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
8
requirements

Examples of other requirements this task affects

14.5.2): Aukščiausiosios vadovybės atsakomybė
NIS2 Lithuania
19: Riskienhallinan tilanteen seuraaminen
Digiturvan kokonaiskuvapalvelu
CC5.1: Control activities for mitigation of risks
SOC 2
Article 6: ICT risk management framework
DORA
2.5: Riskienhallinta
TiHL tietoturvavaatimukset
See all related requirements and other information from tasks own page.
Go to >
Monitoring the status of risk management
1. Task description

Implemented risk management measures and the overall situation of risk management are checked regularly.

The operating model for monitoring the status of risk management is clearly described.

Consideration of threat intelligence findings in the information security risk management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
3.3.4: Obtain and process threat information from relevant sources
NSM ICT-SP
ID.IM-02: Improvements from security tests and exercises
NIST 2.0
Article 31: ICT risk management
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Consideration of threat intelligence findings in the information security risk management process
1. Task description

Organization must consider the threat intelligence process findings in the information security risk management process. Threat intelligence can detect, for example, the proliferation of certain types of attacks or the development of new technologies, based on which assessments of certain information security risks must be updated, which may lead to the need to reduce risks through treatment plans.

Continuous improvement of the risk management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Risk management
13
requirements

Examples of other requirements this task affects

Članak 30.1.a: Politike analize rizika i sigurnosti informacijskih sustava
NIS2 Croatia
8 §: Kyberturvallisuutta koskeva riskienhallinnan toimintamalli
Kyberturvallisuuslaki
1.4.1: Management of Information Security Risks
TISAX
30 § 3.1°: L'analyse des risques et à la sécurité des systèmes d'information
NIS2 Belgium
ID.GV-4: Governance and risk management processes address cybersecurity risks.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Continuous improvement of the risk management process
1. Task description

The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.

In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.