Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
T04: Turvallisuusriskien hallinta
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Identification and documentation of cyber security risks

Critical
High
Normal
Low

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Connected other frameworks and requirements:
5. Principles relating to processing of personal data
GDPR
24. Responsibility of the controller
GDPR
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
T04: Turvallisuusriskien hallinta
ID.GV-4: Processes
NIST CSF
No items found.