The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Top management of the organization is responsible for:
Management support, guidance and responsibility are manifested in the fact that the organization has security principles approved by top management, which describe the connection of the organization's information security measures to the organization's operations. This shows that the management is committed to the organization's safety principles and that the principles represent the will of the management and support the organization's operations. The principles can be described in many different ways, for example as a single document, as part of general operating principles, policy or strategy.