Back

Employ risk assessment procedures that take into account prior risk assessment findings of the same scope.


CONTROL ID
06478
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain risk assessment procedures., CC ID: 06446

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the depth, detail and intensity of ICT assessment should be proportionate to the size, structure and operational environment of the institution as well as the nature, scale and complexity of its activities. (Title 1 10.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • ICT risk and controls self-assessments (if provided in the ICAAP information); (Title 3 3.1 37.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • ICT risk related Management Information (MI) submitted to the institution's management body, e.g. periodic and incident driven ICT risk reporting (including in the operational loss database), ICT risk exposure data from the institution's risk management function; (Title 3 3.1 37.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In particular, the assessment of governance and ICT strategy performed in accordance with Title 2 of these Guidelines should result in findings that inform the summary of findings of the assessment of internal governance and institution-wide controls element of SREP as specified in Title 5 of the EB… (Title 1 14., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Information risk assessments should take into account previous risk assessments conducted on the information or system being assessed. (SR.01.02.06f, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover the relationship with (and alignment to) other risk reporting. (SI.02.02.02e, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover the relationship with (and alignment to) other risk reporting. (SI.02.02.02e, The Standard of Good Practice for Information Security, 2013)
  • Information risk assessments should take into account previous risk assessments conducted on the information or system being assessed. (SR.01.02.08d, The Standard of Good Practice for Information Security, 2013)
  • assess the effect on previous risk management activities and feed the results of this assessment back into the risk management process. (§ 6.7 ¶ 4 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)