COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Points of focus:
- Integrates With Risk Assessment
- Considers Entity- Specific Factors
- Determines Relevant Business Processes
- Evaluates a Mix of Control Activity Types
- Considers at What Level Activities Are Applied
- Addresses Segregation of Duties
When implementing information security risk management, the organisation must identify the risks that require treatment and define treatment plans for them, which often consist of new information security measures.
The organisation has defined how regularly the treatment plans defined as a whole are evaluated and their proportionality to the risk assessment (risk severity and probability).
Implemented risk management measures and the overall situation of risk management are checked regularly.
The operating model for monitoring the status of risk management is clearly described.
The organization must consider the risks for achieving information security goals. Risks related to the achievement of goals must be mitigated by setting up control measures in at least the following areas:
In the management of information security risks, the tasks must be separated if they are not compatible.
In a situation where the tasks are not compatible, but the separation of tasks is not practical, separate controls must be developed to monitor it.