The organization will correlate its risk assessment approach to the business impact of the risks being evaluated. [UCF ID 00686]
Supporting and supported controls
This control directly supports:
• Risk Assessment [UCF Control ID 00685]
This control has the following supporting controls:
• Conducting a Business Impact Analysis [UCF Control ID 01147]
Authority documents complied with:
Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework 728; FFIEC IT Examination Handbook – Information Security Pg 10; FFIEC IT Examination Handbook – Business Continuity Planning Exam Tier I Obj 3.1; FFIEC IT Examination Handbook – Operations Pg 30; FFIEC IT Examination Handbook – Supervision of Technology Service Providers Pg 3; CobiT 4.1 PO9.1; The Standard of Good Practice for Information Security SM3.4.4, SM3.4.6(b), CB5.3.3, CB5.3.5(b), CI5.4.2, CI5.4.4, CI5.4.6(b), NW4.4.2, NW4.4.4, NW4.4.6(b), SD3.5.4, SD3.5.6(b); ISO 17799:2000, Code of Practice for Information Security Management § 11.1.2; ISO 27001:2005, Information Security Management Systems - Requirements § 4.2.1 (e), A.6.2.1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.3.1
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 30 states that the organization should conduct a risk assessment of the criticality of the organization's applications and data in order for management to determine the back-up methodologies that should be used.
Healthcare and Life Science Guidance
While HIPAA requires a risk assessment process, it does not directly address the need for business risk assessment control objective.
US Federal Security Guidance
Though government regulations address the need for an auditor’s understanding of agencies’ risk assessments, they do not directly address this risk assessment control objective.
NIST Guidance
NIST 800-14 § 3.3.1 describes the activities that must be carried out to conduct a thorough risk assessment. At a high level, there are three parts to a risk assessment, determining an assessment’s scope and methodology, collecting and analyzing data and interpreting risk assessment results. Each of these three things is discussed in greater detail. This section is work reviewing directly.
International Standards Organization Guidance
ISO 17799 § 11.1.2 calls for a business impact analysis, identifying events that can cause interruptions to business processes.
The ISO 27001:2005 Information Security Management Systems - Requirements § 4.2.1 (e), A.6.2.1 states that the organization should assess the business impact of a security failure. The assessment should look at the loss of confidentiality, integrity, and availability. The business impact of external parties accessing the organization's data should be identified and appropriate controls implemented.