Objective: Information security risk management aims at the timely detection, assessment and addressing of risks in order to achieve the protection goals of information security. It thus enables the organization to establish adequate measures for protecting its information assets under consideration of the associated prospects and risks. It is recommended to keep the information security risk management of an organization as simple as possible such as to enable its effective and efficient operation.
Requirements (must): Risk assessments are carried out both at regular intervals and in response to events.
Information security risks are appropriately assessed (e.g. for probability of occurrence and potential damage).
Information security risks are documented.
A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks.
Requirements (should): A procedure is in place defining how to identify, assess and address security risks within the organization.
Criteria for the assessment and handling of security risks exist.
Measures for handling security risks and the persons responsible for these are specified and documented:
- A plan of measures or an overview of their state of implementation is followed.
In case of changes to the environment (e.g. organizational structure, location, changes to regulations), reassessment is carried out in a timely manner.
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
Tietoturvariskien hallintaa toteuttaessaan organisaation on tunnistettava käsittelyä vaativat riskit ja määriteltävä näille käsittelysuunnitelmat, jotka usein koostuvat uusista tietoturvallisuustoimenpiteistä.
Organisaatio on määritellyt, kuinka säännöllisesti arvioidaan kokonaisuutena määriteltyjä käsittelysuunnitelmia ja niiden oikeasuhtaisuutta riskeille täytettyihin arvioihin (riskin vakavuus ja todennäköisyys) verrattuna.
The organization shall establish a description of the procedures for risk management processes and it has to be approved. The organization must agree about it with the organization's stakeholders.
As part of the security risk assessment, the organization shall make assessments of the severity and probability of the risk materializing.
The organization shall have a clearly instructed risk scale that allows each participant in the risk assessment to decide on the appropriate level of severity and probability.
The organisation has to evaluate the impact of business disruptions and risks. Based on this evaluation the organisation must prioritize themes in continuity planning to focus on the important risk related issues.
The organization must take into account risk management procedures results when planning internal audit topics and execution, and when executing audits.
The organization has an operating model for continuously improving the functionality and efficiency of the risk management process.
In the improvement, it is possible to use e.g. general standards (e.g. ISO 27005) or feedback from people involved in risk management.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
