Back

Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling.


CONTROL ID
06472
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The regulatory impact, including the potential for public censure by the regulator, fines or even variation of permissions. (Title 3 3.2.3 43.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The upstream company should review the laws of the country where the business is located or publicly-traded, where the minerals originated from, and the transit or re-export countries when assessing the supply chain risks. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.C.1(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The upstream company should review the legal contracts that govern the operations and business relations when assessing the supply chain risks. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.C.1(c), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The upstream company should review other relevant international laws and guidance when assessing the supply chain risks. (Supplement on Tin, Tantalum, and Tungsten Step 2: I.C.1(d), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Information risk assessments should take into account compliance requirements with legislation. (SR.01.02.06a-1, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account compliance requirements with regulations. (SR.01.02.06a-2, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account compliance requirements with contractual obligations. (SR.01.02.06a-3, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account service level agreements associated with business applications. (SR.01.02.06b-1, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account Service Level Agreements associated with computer systems. (SR.01.02.06b-2, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account Service Level Agreements associated with networks. (SR.01.02.06b-3, The Standard of Good Practice for Information Security)
  • Information risk assessments should take into account compliance requirements with legislation. (SR.01.02.09a, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account service level agreements associated with business applications. (SR.01.02.08a, The Standard of Good Practice for Information Security, 2013)
  • The Risk Management policy shall include a way to establish the risk acceptability criteria for the safety, effectiveness, and data and systems security by taking into account national or regional regulations and international standards. (§ 4.2.1 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • takes into account legal and other requirements to which the organization subscribes, (§ 8.2.1 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • This will help the organization to: - align risk management with its objectives, strategy and culture; - recognize and address all obligations, as well as its voluntary commitments; - establish the amount and type of risk that may or may not be taken to guide the development of risk criteria, ensu… (§ 5.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • legal requirements and other requirements (see 6.1.3). (§ 6.1.1 ¶ 2 Bullet 4, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The information security risk criteria should be established considering the context of the organization and requirements of interested parties and should be defined in accordance with top management's risk preferences and risk perceptions on one hand and should allow for a feasible and appropriate … (§ 6.1.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The service auditor should also consider whether the risk assessment procedures and other procedures related to obtaining the understanding indicate a risk of material misstatement due to fraud or noncompliance with laws or regulations. For example, fraud risks related to a service organization migh… (¶ 2.122, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In accordance with paragraph .33 of AT-C section 205, the service auditor should (a) consider whether risk assessment procedures and other procedures related to understanding the service organization's system and related controls indicate a risk of material misstatements due to fraud or noncomplianc… (¶ 3.195, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • consider whether risk assessment procedures and other procedures related to understanding the subject matter indicate risk of material misstatement due to fraud or noncompliance with laws or regulations. (AT-C Section 205.32 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Incorporate legal and regulatory requirements. (App A Objective 5.1.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Financial institutions engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and… (Retail Payment Systems Risk Management, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)