Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Implemented risk management measures and the overall situation of risk management are checked regularly.
The operating model for monitoring the status of risk management is clearly described.
As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.
The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.
The organisation must enable asset based risk management from the ISMS settings.
Asset-based risk management should be set to cover all needed asset types with high enough criticality. The asset based risk management should be used at least for:
After risk treatment, the organization assesses the remaining level of residual risk per risk.
Regarding the residual risk, clear decisions are made by the risk owner to either close the risk or return the risk to the processing queue.