Requirement

2.1.2: Cybersecurity risk management process

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

For the purpose of point 2.1.1, the relevant entities shall establish procedures for identification, analysis, assessment and treatment of risks (‘cybersecurity risk management process’). The cybersecurity risk management process shall be an integral part of the relevant entities’ overall risk management process, where applicable. As part of the cybersecurity risk management process, the relevant entities shall:

follow a risk management methodology;
establish the risk tolerance level in accordance with the risk appetite of the relevant entities;
establish and maintain relevant risk criteria;
in line with an all-hazards approach, identify and document the risks posed to the security of network and information systems, in particular in relation to third parties and risks that could lead to disruptions in the availability, integrity, authenticity and confidentiality of the network and information systems, including the identification of single point of failures;
analyse the risks posed to the security of network and information systems, including threat, likelihood, impact, and risk level, taking into account cyber threat intelligence and vulnerabilities;
evaluate the identified risks based on the risk criteria;
identify and prioritise appropriate risk treatment options and measures;
continuously monitor the implementation of the risk treatment measures;
identify who is responsible for implementing the risk treatment measures and when they should be implemented;
document the chosen risk treatment measures in a risk treatment plan and the reasons justifying the acceptance of residual risks in a comprehensible manner.

Fulfill this requirement by completing the tasks below ->

This requirement is part of the framework:

NIS2 Implementing Regulation

Other requirements of the framework

2.1.2: Cybersecurity risk management process

Best practices

How to implement:

2.1.2: Cybersecurity risk management process

This policy on

2.1.2: Cybersecurity risk management process

provides a set concrete tasks you can complete to secure this topic. Follow these best practices to ensure compliance and strengthen your overall security posture.

follow a risk management methodology;
establish the risk tolerance level in accordance with the risk appetite of the relevant entities;
establish and maintain relevant risk criteria;
in line with an all-hazards approach, identify and document the risks posed to the security of network and information systems, in particular in relation to third parties and risks that could lead to disruptions in the availability, integrity, authenticity and confidentiality of the network and information systems, including the identification of single point of failures;
analyse the risks posed to the security of network and information systems, including threat, likelihood, impact, and risk level, taking into account cyber threat intelligence and vulnerabilities;
evaluate the identified risks based on the risk criteria;
identify and prioritise appropriate risk treatment options and measures;
continuously monitor the implementation of the risk treatment measures;
identify who is responsible for implementing the risk treatment measures and when they should be implemented;
document the chosen risk treatment measures in a risk treatment plan and the reasons justifying the acceptance of residual risks in a comprehensible manner.

Read below what concrete actions you can take to improve this ->

Frameworks that include requirements for this topic:

No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to

2.1.2: Cybersecurity risk management process

Task name

Priority

Task completes

Complete these tasks to increase your compliance in this policy.

Critical

No other tasks found.

Complete these tasks in Cyberday ISMS ->

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way‍

Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.

Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.

Do it once - we automatically apply it to all current and future frameworks.

Start free trial